WLC ssid with webauth redirect gstatic generate_204

michmdjpfi · ‎11-19-2021

When trying to connect to an SSID with webauthentication, the user get following webpage (in all browsers) as show in the picture in attachment.

i read about some options:

Disabling Webauth SecureWeb but this will not encrypt management login.

Changing virtual IP

get a real certificate from 3rd party. -> works on hostname so not really needed here

what will be the best solution for this problem?

Kasun Bandara · ‎11-19-2021

Hi,

disabling secure connections for web auth portal will do the trick. but remember, recommendation is to use CA signed certificate by valid CA is the best and most secured way.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Arshad Safrulla · ‎11-20-2021

Hi,

This is a well known mechanism used by Google Chrome to verify whether the device has Internet reachability. This is not something you should worry as chrome uses this as a captive portal detection mechanism.

I would definitely change the virtual IP as this IP is publicly routed now.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213535-wlc-virtual-ip-address-1-1-1-1.html

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

michmdjpfi · ‎11-22-2021

Hi Arshad

I'll do that. The WLC are configured as HA. will there be problems if i change the virtual ip address on the primary unit? do i have to change it on both wlc?

kind regards

Sandeep Choudhary · ‎11-22-2021

yes you need to change on both WLCs.

Arshad Safrulla · ‎11-22-2021

Change it in Active WLC and then do failover

Then perform the same in the standby WLC and again do failover (make sure that the peer WLC is up and SSO state is reached by the time you initiate this failover)

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

michmdjpfi · ‎12-01-2021

Thanks for the replies guys.

I noticed it's not actually a HA setup.. both model 2504 wlc but i cheched the guide to set up HA and nothing is configured for it. I only see that both WLC are in the same mobility group. Is this kind of the same like HA? i guess the network will go down anyway when changing VIP on 1 of the wlc ?

Arshad Safrulla · ‎12-02-2021

2504 supports only N+1 HA, so you should be fine. You can do one by one. As a sanity check before the upgrade make sure that AP's are primed.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

michmdjpfi · ‎12-08-2021

Hi Arshadsaf

i changed VIP to 192.0.2.1 on both WLC and webpage still gives https://192.0.2.1/login.html?redirect=www.gstatic.com/generate_204 for most people (Edge, chrome, Firefox). 1 person did actually get the login page but with https://192.0.2.1/login.html?redirect=www.msftconnecttest.com/redirect

any idea to solve this?