Showing results for 
Search instead for 
Did you mean: 

WLC how to Add Multiple External Web Authentication?


Is it possible to add multiple  External Web Authentication server in WLC? So that different WLAN could be mapped to different or customized page?

2 Replies 2

Saurav Lodh
Rising star
Rising star

yes, it is possible

Cisco Employee
Cisco Employee

External Web Authentication Process

With external web authentication, the login page used for web authentication is stored on an external web server. This is the sequence of events when a wireless client tries to access a WLAN network which has external web authentication enabled:

  1. The client (end user) connects to the WLAN and opens a web browser and enters a URL, such as

  2. The client sends a DNS request to a DNS server in order to resolve to IP address.

  3. The WLC forwards the request to the DNS server which, in turn, resolves to IP address and sends a DNS reply. The controller forwards the reply to the client.

  4. Client tries to initiate a TCP connection with the IP address by sending the TCP SYN packet to the IP address.

  5. The WLC has rules configured for the client and hence can act as a proxy for It sends back a TCP SYN-ACK packet to the client with source as the IP address of The client sends back a TCP ACK packet in order to complete the three way TCP handshake and the TCP connection is fully established.

  6. The client sends an HTTP GET packet destined to The WLC intercepts this packet, sends it for redirection handling. The HTTP application gateway prepares a HTML body and sends it back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the default webpage URL of the WLC, for example, http://<Virtual-Server-IP>/login.html.

  7. The client then starts the HTTPS connection to the redirect URL which sends it to the This is the virtual IP address of the controller. The client has to validate the server certificate or ignore it in order to bring up the SSL tunnel.

  8. Because external web authentication is enabled, the WLC redirects the client to the external web server.

  9. The external web auth login URL is appended with parameters such as the AP_Mac_Address, the client_url ( and the action_URL that the client needs to contact the controller web server.

    Note: The action_URL tells the web server that the username and password is stored on the controller. The credentials must be sent back to the controller in order to get authenticated.

  10. The external web server URL leads the user to a login page.

  11. The login page takes user credentials input, and sends the request back to the action_URL, example, of the WLC web server.

  12. The WLC web server submits the username and password for authentication.

  13. The WLC initiates the RADIUS server request or uses the local database on the WLC and authenticates the user.

  14. If authentication is successful, the WLC web server either forwards the user to the configured redirect URL or to the URL the client started with, such as

  15. If authentication fails, then the WLC web server redirects user back to the customer login URL.

Note: In order to configure external webauthentication to use ports other than HTTP and HTTPS, issue this command:

(Cisco Controller) >config network web-auth-port 

<port>         Configures an additional port to be redirected for web authentication.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers