With external web authentication, the login page used for web authentication is stored on an external web server. This is the sequence of events when a wireless client tries to access a WLAN network which has external web authentication enabled:
The client (end user) connects to the WLAN and opens a web browser and enters a URL, such as www.cisco.com.
The client sends a DNS request to a DNS server in order to resolve www.cisco.com to IP address.
The WLC forwards the request to the DNS server which, in turn, resolves www.cisco.com to IP address and sends a DNS reply. The controller forwards the reply to the client.
Client tries to initiate a TCP connection with the www.cisco.com IP address by sending the TCP SYN packet to the www.cisco.com IP address.
The WLC has rules configured for the client and hence can act as a proxy for www.cisco.com. It sends back a TCP SYN-ACK packet to the client with source as the IP address of www.cisco.com. The client sends back a TCP ACK packet in order to complete the three way TCP handshake and the TCP connection is fully established.
The client sends an HTTP GET packet destined to www.google.com. The WLC intercepts this packet, sends it for redirection handling. The HTTP application gateway prepares a HTML body and sends it back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the default webpage URL of the WLC, for example, http://<Virtual-Server-IP>/login.html.
The client then starts the HTTPS connection to the redirect URL which sends it to the 18.104.22.168. This is the virtual IP address of the controller. The client has to validate the server certificate or ignore it in order to bring up the SSL tunnel.
Because external web authentication is enabled, the WLC redirects the client to the external web server.
The external web auth login URL is appended with parameters such as the AP_Mac_Address, the client_url (www.cisco.com) and the action_URL that the client needs to contact the controller web server.
Note: The action_URL tells the web server that the username and password is stored on the controller. The credentials must be sent back to the controller in order to get authenticated.
The external web server URL leads the user to a login page.
The login page takes user credentials input, and sends the request back to the action_URL, example http://22.214.171.124/login.html, of the WLC web server.
The WLC web server submits the username and password for authentication.
The WLC initiates the RADIUS server request or uses the local database on the WLC and authenticates the user.
If authentication is successful, the WLC web server either forwards the user to the configured redirect URL or to the URL the client started with, such as www.cisco.com.
If authentication fails, then the WLC web server redirects user back to the customer login URL.
Note: In order to configure external webauthentication to use ports other than HTTP and HTTPS, issue this command:
(Cisco Controller) >config network web-auth-port
<port> Configures an additional port to be redirected for web authentication.