Redirect WLC Web Auth URL point to a strategy ISE only NŒUD?

Similar Questions

• redirect web-auth comments

  Hi guys,.

  I'm having some problems with getting the web-auth redirection to work properly.

  Basically, I set up an SSID with authentication of layer 3 and the customer's IP via DHCP, the DHCP server is configured on a win 2008 Server (192.168.10.18).

  After the client connects to the network wirelessly with web authentication, it got a valid IP address, can I open a web browser and access www.google.com, then it does not redirect me to the authentication web page requesting my credentials.

  I did an "ipconfig/all" on the client and found that I have the correct gateway and the DNS server IP address is 192.168.10.18, on the DNS server, I also have an entry called 'wlc2112' that is pointing to the IP of an another 2112 WLC with 1.1.1.1. If I type "http:wlc2112" in the browser, then I can get redirected to the correct web auth page with https://wlc2125.wirelessdomain.local/login.html?redirect=wlc2112 in the url and ask for credentials. the wlc2125 is another entry that I configured in the DNS as well, it is also the WLC I configured the SSID for web authentication.

  If I type the IP address of the WLC in the url I also redirected to the web page of auth.

  It seems to me that if we type something which cannot be resolved by the DNS (192.168.10.18) server, then the redirect page falls down, so I just want to ask if it is a behavior expected or there is something I have to do with the configuration? I think I missed something here, as in the example of config on the Cisco Web site, he used google.com as an example and GraphiqueP correctly.

  any comments would be much appreciated, thanks in advance for your time and your help.

  Andy,

  This is the expected behavior.  If the URL cannot be resolved, the WLC won't start screen.  The DNS query is mandated by the WLC, and if it does not get a valid line, you see what you see.

  See you soon,.
  Steve

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Urgent - NAC + ACS + Web-Auth in Wired environment - https redirection - certificate problem

  Hello world.

  I'm seting of an environment that uses Web-Auth for my cable and wireless. I followed the exact steps in this page of Cisco to run:

  http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html

  I'm only testing environment wired right now.

  I plug a PC on a port, and I try to access a Web page of randon (for example, www.cisco.com). It is automatically redirected to the authentication page. I type the user name and password, but when authentication is successful, it goes automatically to the https version of the page, which brings me to the problem. I should add an exception (more on this option on the IE Web page) to this page to continue with the authentication and gain access to the internet. I enclose the steps I must perform:

  

  

  

  I think that it is linked to the certificate, but I'm not sure who or where. I would like to get some advice on your part to avoid this problem. I have no intention to buy all certificates, so if I could jump the https would be great.

  Thanks a lot for your help

  Victor Alves

  If you don't want an official cert, you must go to http only. But this means that people paswords will transit in the clear on the network.

  It's been long that I tried, but not is not remove 'ip http-server secure' do the trick?

• new redirect URL of ISE 1.3 for WLC (Webauth external URL)

  Hello

  Could someone tell me the URL of ISE 1.3 for WLC?

  ISE1.2 was:

  https://ISE-1.Cisco.local:8443/guestportal/login.action

  Yes, the structure has been changed since version 1.2, and I did bother understand since there is now a button 'Portal test URL. Have you tried? Or do you still need to be able to manually browse for it?

  If you still need search manually it then you can use the test button to get the URL and then save it :)

  Thank you for evaluating useful messages!

• Activate the Session Timeout - comments web-auth

  Hi all

  Just a quick. If this period expires when you use web-auth on a wlan of comments in the following way

  PC - Ap - WLC (campus) - anchor WLC (DMZ) - www

  Fact leap web session and the user will be redirected to the authentication web page?

  Thx a lot indeed.

  Ken

  The Ambassador Hall may specify the time during which the comments user accounts remain active. Once the deadline is passed, the guest user accounts expire automatically.

  For the more detailed description the following guide to manage the accounts of user may help you

  http://www.Cisco.com/en/us/docs/wireless/controller/5.0/Configuration/Guide/c5users.html#wp1048408

• Active Directory users are authenticated web-auth (web-auth has only LOCAL users)

  Hello

  I have a model WLC 4404 with software version 4.2.205.0.
  I have 2 SSID: Wireless and invited
  -Wireless: using [WPA + WPA2] [Auth (802. 1 X)]
  -Guests: use Web-Auth

  In the guests of SSID (WLAN-> Edit > AAA security servers I have not all enable server - option there is NOT and not activated-).

  I do not understand that the request for authentication is attempted ONLY locally to the WLC but not in the ACS (ACS has been configured in security-> RADIUS-> authentication).

  When a user authentication Web Page inserts user and password of SSID wireless (users who need to be authenticated in Active Directory via ACS) it is authenticated.

  I need to change this behavior.

  There are a few options depending on what you are using the code.

  6.0 and higher, there is an option in the WLAN directly, select only LOCAL.

  5.2 below, under Radius authentication servers, uncheck the box for the user of the network.  This check box allows the WLC to use the servers in the world, which means that if it is not precisely defined under the WLAN, it can / will still be used

• WLAN controlled WEB AUTH, what is the session re-checked after initial authentication?

  I intend to use the Web (with external server) on controller Cisco WLAN authentication.

  Unfortunately, I have none not one with which I can experiment and impossible to find the following information in the documentation.

  Once a user authenticates successfully the first time, when authentication is performed again?

  Is - this periodical? Or maybe specified in the message of acceptance of access?

  Thanks for your help.

  I do not think that something is done in the background / transparant when the session timeout occurs.

  If RADIUS sends you a Timeout for the Session of 30 minutes, then 30 minutes the WLC puts the client in a State of Web Auth required yet. In which case, they will have to open the Internet browser and send the credentials again (manual process).

  The session timeout is a hard-stop to force re-authentication...

  The access-request/access-accept (as I know) is only for full authentication.

• ISE web auth for other than cisco switch (D-link 3528)

  Is it possible to use ISE (posture inline node) to redirect to portal comments ISE wired users?

  And wired users will get full network access after they pass the web auth.

  Hello

  Theoretically, it could work if the switch is able to send all the attributes in accounting packets, such as IP address and mac address by asking the station id. If the attributes are missing or incorrect, the iPEP ISE will never create the session (see show pep session table).

  That said, who probably never have been tested, so you may want to reconsider your design, there is no guarantee that this can still work.

• Web Auth customization (data type icon download?)

  I recently installed 7.5 WLC and began a Web Auth customization base.  I did my usual CLI commands to download my image when I discovered a new option, tranfer download data type icon.  I tried to download a small picture to see what it would change, and I don't see anything in particular.  Nobody knows what that change? (No it has not changed Cisco logos anywhere in the graphical interface, at least that I could see)

  (Cisco Controller) > transfer download datatype?

  code download an executable image on the system.
  config download Configuration file.
  eapcacert download a certificate from CA eap on the system.
  eapdevcert download a certificate of dev eap on the system.
  icon download an executable image on the system.
  image upload a logo on the web page on the system.
  ipseccacert download an IPSec certificate for the system.
  ipsecdevcert download a certificate of dev IPSec for the system.
  Login-banner download controller login banner. (Text only file supported: Max 1500 bytes & 18 lines, printable characters not unsupported)
  signature download a signature for the system file.
  webadmincert download a certificate of web directors on the system.
  webauthbundle download a package webauth customized for the system.
  webauthcert download a certificate web portal on the system.

  Hey Robinson,

  Sorry for the delay...

  Download transfer data type icon

  is the new order introduced on the WLC and especially for Mobile Concierge we have... it has more to do with the generic advertising Service 802.11U and please visit-

  http://en.Wikipedia.org/wiki/IEEE_802.11U

  This to load the icon for GAS on the WLC and nothing has to do with the connect/disconnect webauth pages...

  We will ensure this is documented on the cisco properly guides...

  Please let me know if that answers your question

  Concerning

  Surendra

• Registration of ISE1.2 MAC after LDAP web-auth

  Faced with a situation where we just do a simple one time registration of the MAC address after a person authenticates successfully web-auth using LDAP.

  It is very similar to guest authentication, but I do not know how to customize the other portal for this group of users, so I do not affect the current Portal of comments.  Is there a better way?

  I am considering the following sequence:

  1. the user trying to connect wireless for the first time and is redirected to a web page to enter the LDAP credentials

  2. the user authenticates successfully credentials and ISE adds MAC address of a group of endpoint of the ENDPOINT "VALID."

  3. the next time that the user tries to access wireless, they are connected flawlessly, but what happens is ISE sees their MAC in the group "Endpoint INVALID" and MAB of them on the network.

  It looks a lot like the configuration of the portal comments, but I don't know how tell you him to register the MAC with a group of endpoint.

  Thanks in advance,

  Mike

  You can save the device via the device with mac address registration portal and it will be added to the endpoint group "registereddevice".

• 5508 loading cert for web auth

  I have web auth enabled on the WLC so when clients connect, they get a cert error because it uses a self signed cert.  I was reading upward on obtaining a third part cert and he tells have openssl and then generate the cert and send it to a third-party CA etc.

  All the links that you can share would be very useful, explaining best practices and to load a cert of third party on the WLC 5508 for web authentication.

  Why can't just get a cert from them for our domain and simply load on the WLC?

  Hi Mohammed,.

  Here are the two links that are like the bible to generate certificates...

  http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a0080a77592.shtml

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

  Depends on whether you use Chained or chained UN CERT... Following the link above will help you to get the problem resolved!

  Let me know if this answers your question!

  Concerning

  Surendra

• Invalid Web site URL

  We have WebCenter content as well as Imaging. At one point, we had to enable SSL and not that it is invalid later. The problem we are facing is the URL generated for continuous Web location to use SSL [HTTPS rather than HTTP] and also PORT missing. This only happens for imaging of content. Another WebCenter support generate the correct URL.

  for example

  Content WebCenter Host: Port: http://wccdev:16200 / cs

  Image Host: Port: http://wccdev:16000 / Imaging

  Archived content content WebCenter will generate the correct Web site URL [Protocol: HTTP, Port: 16200]

  http://wccdev:16200/CS/groups/hremployee/documents/document/zgv2/mdaz/~Edisp/dev003895.PDF

  But checked Imaging content generates the Web site at the following URL [Protocol: HTTPS, Port: 443]

  https://wccdev/Imaging/faces/pages/UrlTools.JSPX?toolname=AWVWR & documentID = 13.IPM_004146

  Instead of [Protocol: HTTP, Port: 16000]

  http://wccdev:16000/Imaging/faces/pages/UrlTools.JSPX?toolname=AWVWR & documentID = 13.IPM_004146

  We have SSL disabled for the server content and imagery in the Weblogic Console.

  Thanks for any information you can provide

  SID

  I could solve this problem. I found the solution in My Oracle Support Doc ID 1474536.1

  Solution

  1. go to the > / ucm/cs/data/ipmsys/apps folder.

  2. open the .hda who has a problem with the web site.

  4. There is a parameter called ViewerURLFormat, check if the format of the URL is as expected. If this is not the case, change the URL to match this format:

  http://:/imaging/faces/Pages/UrlTools.jspx? ToolName =& DocumentId = %s

  5. save the changes and restart the two managed servers (content and imagery). The amendment should reflect documents that are uploaded again in the application of Imaging.

• Help Web site URL?

  First of all, my apologies if this question is as lame as it seems!
  
  When my project is published and accessible via the web, the URL displayed in the address bar is still the start page any page, I sailed on the project. It is therefore difficult to send a URL specific to a user in the form of: "Please see http://Product1 \SecondChapter\ThirdTopic.
  
  For now, I need to get to the page, go to the directory of the project and find where the file is physically located, and then use this physical directory to build a URL for the user.
  
  I tried to use different (DHTML, JAVA, pure HTML) table of contents options and they all have the same behavior. Is there an easier way to point to specific topics within a project to help on the Web? I must be missing something obvious!
  
  Thank you!
  Keith

  My apologies if I misread your post - I was rushing.

  Right-click in the frame that displays the topic (not the table of contents), then click 'properties '. The URL must be in the Properties dialog box that appears.

  Lucas

• How to generate CSR on switches for web auth with NGS

  Hello

  I do solution dot1x with web auth on switches cisco 3750.

  Once the wired customer put in the web authentication status (after dot1x and mab) and goes to a website, he receives a certificate warning. This is because as the switch cisco selfsigned certificate.

  I want to use a verisign certificate to resolve this error, but I can't find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but it is also not a solution, because the customers with the help of web authentication, won't the internal certification authority.

  Is it possible to fix this?

  Greetings

  Steven

  Hi Steven,

  The document below is really for IOS SSLVPN, but the part of the certificate must be the same:

  http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

  Search for the 'Annex B' and it goes into the creation of a trustpoint and then a section for the self-signed and another is to generate a certificate request to send to an external certification authority.

  Once created a trustpoint command to actually generate the CSR is "crypto PKI enroll."

  This document goes into a bit more details on orders of the person and what they do:

  http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

  Also, you can use something external to the switch as OpenSSL to generate the CSR and private key and then use it to request a certificate from your Verisign CA and then import the cert/key pair in the IOS device.

  Thank you

  Nate

• How to change Service Auth URL on Adobe Edge server?

  Hi, we had to change the URL for 'Service url' and 'Service auth url' in DPS App Builder configuration. We made this change a few days ago and we have created new versions of our applications, but the apps still does not allow us to open a session. We have tried to watch the communication between applications and our service, and it seems that even servers Adobe calls the old url. How we can update information about Edge server Adobe about the new URL auth?

  Sebastian

  Hi Sebastian,.

  Please note that the integratorID is the first parameter that is taken into consideration when the communication is done with your set up Direct payment.

  So, as long as the intergratorID your old server path, these values will be always present.

  The URL of the Service and the Service AuthURL are checked only if the integratorID check fails, then as a backup of these two values are being verified.

  You will need to get in touch with the support team if you want to update the URL for the integratorID.

  Thank you

  Andrei