Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
4
Replies

WLC 9800 Guest SSID web auth not redirecting

MikkelSteensgaard
Level 1
Level 1

‎02-11-2025 11:45 PM - edited ‎02-11-2025 11:46 PM

I have an issue with a guest ssid, where I have enabled it as a open network with web auth. Unfortunately no matter what I do, I cannot get it to redirect to the real "redirect for-login" URL. It redirects to the default one locally on the WLC. Here's the config:

parameter-map type webauth guestportal
type webauth
redirect for-login https://FQDN/portal/
redirect portal ipv4 1.2.3.4
!

ip access-list extended Pre-Auth-ACL
1 permit tcp any host 1.2.3.4 eq 443
2 permit tcp host 1.2.3.4 eq 443 any
5 permit udp any host 1.2.3.5 eq domain
6 permit udp any host 1.2.3.6 eq domain
30 deny ip any any
!

wlan FortiGuest 5 Guesttest
ip access-group web Pre-Auth-ACL
peer-blocking drop
no security ft adaptive
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
security web-auth authentication-list Guest-AAA-Auth
security web-auth parameter-map guestportal

 

Is there something that I am missing?

Labels:
0 Helpful
4 Replies 4

MikkelSteensgaard
Level 1
Level 1

‎02-14-2025 01:32 AM - edited ‎02-14-2025 01:32 AM

I do not get the "ACL plumb" part in my debug trace and under the "Layer 3 authentication and redirection process" I get dst other than my external web server:
2025/02/14 10:24:48.153625090 {wncd_x_R0-0}{1}: [webauth-httpd] [15400]: (info): capwap_900000b7[7209.7de5.0bb4][ x.x.x.x]Parse GET, src [x.x.x.x] dst [142.251.209.131] url [http://connectivitycheck.gstatic.com/generate_204]

Do you know what that could mean I'm missing?

0 Helpful

Flavio Miranda
VIP
VIP
In response to MikkelSteensgaard

‎02-14-2025 02:00 AM

http://connectivitycheck.gstatic.com/generate_204

is a url that clients use in order to validade internet access. The redirect is done based on this access attempt. 

Do you have HTTP enable on the WLC? 

0 Helpful

MikkelSteensgaard
Level 1
Level 1
In response to Flavio Miranda

‎02-14-2025 02:47 AM

yes, ip http server and ip http secure-server is enabled on the WLC.

Under the Client -> General -> Security Information, I can see that the URL Redirect ACL is WA-v4-int-x.x.x.x (x.x.x.x is the web server IP), so something is happening, but it won't redirect to the correct webpage.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card