Wireless LAN Controller Web Authentication

Configuration Example
Document ID: 69340

Introduction
Prerequisites
Requirements
Components Used
Conventions
Background Information
Configure the Controller for Web Authentication
Create a VLAN Interface
Add a WLAN Instance
Reboot the WLC
Two Ways to Authenticate Users in Web Authentication
Set Up ACS
Verify ACS
Troubleshoot ACS
Set Up the Controller for Use with a RADIUS Server
Configure Your Windows Machine to Use Web Authentication
Client Configuration
Client Login
Configure Web Passthrough in the WLC
Verify Internal Web Authentication
Troubleshoot
NetPro Discussion Forums − Featured Conversations
Related Information

Introduction
This document shows you how to configure a Cisco 4000 Series Wireless LAN (WLAN) Controller (WLC) to
support a web authentication client.

Prerequisites
Requirements
This document assumes that you already have an initial configuration on the 4000 WLC.

Components Used
The information in this document is based on these software and hardware versions:

• A 4012 WLC that runs 3.1.59.24 code

• Wireless Access Control Server (ACS) on Microsoft Windows 2000 Server
• Cisco Aironet 1000 Series

Cisco − Wireless LAN Controller Web Authentication Configuration Example

The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.

Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information
Web authentication is typically used by customers who want to deploy a guest−access network. In a
guest−access network, there is initial user name and password authentication, but security is not required for
the subsequent traffic. Typical deployments can include "hot spot" locations such as T−Mobile or Starbucks.

Web authentication for the Cisco WLC is done locally. You create an interface and then associate a
WLAN/service set identifier (SSID) with that interface.

Web authentication provides simple authentication without a supplicant or client. Keep in mind that web
authentication does not provide data encryption. Web authentication is typically used as simple guest access
for either a "hot spot" or campus atmosphere where the only concern is the connectivity.

The configuration in this document provides an open connection to a user that requires a name/password
security exchange. In order to provide that support, you must create a new WLAN interface that provides a
WLAN/SSID for the web authentication clients to use. If you have not created a VLAN interface that allows
web authentication, you can either use the management interface or create a new VLAN interface. The
Configure the Controller for Web Authentication section of this document provides the procedure to create a
new VLAN interface.

Configure the Controller for Web Authentication

In this section, you are presented with the information to configure the controller for web authentication.

Create a VLAN Interface

Complete these steps:

1. In the main Controller window, choose Controller from the menu at the top, choose Interfaces from
the menu on the left, and click New on the upper right side of the window.

The window in Figure 1 appears. This example uses Interface Name vlan90 with a VLAN ID of 90:

Figure 1

Cisco − Wireless LAN Controller Web Authentication Configuration Example

 2. Click Apply in order to create the VLAN interface.

A new window appears that asks you to fill in some information.

3. Add these parameters to the VLAN interface:

♦ IP Address90.90.90.22
♦ Netmask¢55.255.255.0 (24 bits)
♦ Gateway90.90.90.1
♦ Port Number¡
♦ Primary DHCP Server¡0.9.4.10

Note: This parameter should be the IP address of your RADIUS or DHCP server.
♦ Secondary DHCP Server .0.0.0

Note: The example does not have a secondary DHCP server, so uses 0.0.0.0. If your
configuration has a secondary DHCP server, add the server IP address in this field.
♦ ACL NameNone
Figure 2 shows these parameters:

Figure 2

4. Click Apply in order to save the changes.

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Add a WLAN Instance
Now that you have a VLAN interface that is dedicated for web authentication, you must provide a new
WLAN WLAN/SSID in order to support the web authentication users. You can set up the WLAN/SSID with
a previously configured VLAN or management interface. Or, if no interface has been created, you must create
a WLAN interface.

Complete these steps:

1. Open the WLC browser, click WLAN in the menu at the top, and click New on the upper right side.

Figure 3 shows the WLAN ID that you need to create and the WLAN that is associated with the web
authentication. This example uses VLAN ID 1 and WLAN SSID webauth. You can use whatever
WLAN you choose.

Figure 3

2. Supply the information that this window requires and click Apply in order to save the new interface.

A new WLAN Edit window appears, as Figure 4 shows.

Figure 4

Cisco − Wireless LAN Controller Web Authentication Configuration Example

 3. Complete these steps in order to select the parameters in this window:

Note: Leave the default value for any parameter that this procedure does not explicitly mention.

a. For Interface Name, select from the menu the name of the VLAN interface that you created.

In this example, the Interface Name is vlan90.

b. Set the Layer 2 Security appropriately for this type of subscriber.

Here, the security is set to None.

c. In the Layer 3 Security area, be sure that the Web Policy check box is checked.

Note: This is a different window in code that is earlier than 3.0.

d. Be sure that Authentication is selected (and not Passthrough).
e. Click Apply in order to save the new interface to the running configuration on the WLAN
switch.
f. Review the WLAN Summary window to be sure that the WLAN/SSID (in this case,
web−auth) is enabled.

You return to the WLAN window. In this case, the window shows that web−auth is enabled
in the Security Policies column of the VLAN table.

Reboot the WLC

You must reboot the WLC because one or more of the WLAN changes cannot be made while the system is
active. The changes must be made before or during the boot. Complete these steps in order to reboot the
WLC:

1. In the main Controller window, choose Commands in the menu at the top.
2. In the new window, choose Reboot in the menu on the left.

You are prompted to save and reboot if there are unsaved changes in your configuration.
3. Click Save and Reboot in order to save the configuration and reboot the switch.
4. Monitor your system reboot from the console connection.

When the WLC is up, you can create your web authentication subscriber.

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Two Ways to Authenticate Users in Web Authentication
There are two ways to authenticate when you use web authentication. Local authentication allows you to
authenticate the user in the Cisco WLC. You can also use wireless ACS/RADIUS in order to authenticate
your users. In order to configure local authentication within the WLC, complete these steps:

Local Authentication

Local authentication allows the local authentication of the user to the WLC. You must create a Local Net User
and define a password for web authentication client login.

1. Choose Security in the menu at the top in order to go to the Security window on your WLC.
2. Choose Local Net Users from the AAA menu on the left.

Figure 5 provides an example:

Figure 5

3. Click New on the upper left side in order to create a new user.

A new window displays that asks for user name and password information.
4. In order to create a new user, provide the User Name and Password, and confirm the password that
you want to use.

This example creates the user karjames.

5. Verify that you have assigned the correct WLAN ID.

In this example, the VLAN ID is 1. This ID is the ID that you created when you created the
WLAN/SSID in the Add a WLAN Instance section of this document.
6. Add a description, if you choose.

This example uses Web Auth.

7. Click Apply in order to save the new user configuration.

Figure 6 provides the example parameters:

Figure 6

Cisco − Wireless LAN Controller Web Authentication Configuration Example

RADIUS Server for Web Authentication

This document uses a wireless ACS on Windows 2000 Server as the RADIUS server. You can use any
available RADIUS server that you currently deploy in your network.

Note: You can set up ACS on either Windows NT or Windows 2000 Server. In order to download ACS from
Cisco.com, refer to Software Center (Downloads) − Cisco Secure Software ( registered customers only) . You need
a Cisco web account in order to download the software.

When web authentication is done through a RADIUS server, the first query for authentication is attempted
locally at the WLC. If there is no response at the WLC, the second query goes out to a RADIUS server. The
Set Up ACS section shows you how to configure ACS for RADIUS. You must have a fully functional
network with a Domain Name System (DNS) and a RADIUS server.

Set Up ACS
In this section, you are presented with the information to set up ACS for RADIUS.

Set up ACS on your server, and then complete these steps in order to create a user for authentication:

1. When ACS asks if you want to open ACS in a browser window to configure, click yes.

Note: After you set up ACS, you also have an icon on your desktop.
2. In the menu on the left, click User Setup.

This action takes you to User Setup.

3. Enter the user that you want to use for web authentication, and click Add.

After the user is created, a second window opens.

4. Be sure that the user is set as enabled.
5. Be sure that the Password Authentication is Cisco Secure Database.
6. Provide the password twice.
7. After the user is created, be sure that you have chosen RADIUS Cisco Aironet as the type of service.

Note: TACACS+ is the default.

Cisco − Wireless LAN Controller Web Authentication Configuration Example

 Note: The user names and passwords in the ACS should be the same as the ones that you configured
in the WLC.

Verify ACS
In order to verify that you have set up ACS correctly, click Network Configuration on the left panel of the
ACS. Figure 7 is an example of what you see:

Figure 7

Troubleshoot ACS
When you set up ACS, remember to download all the current patches and latest code. This should solve
impending issues. Be sure that the users that you have created show up under Network Configurations. And,
when you choose User Setup, verify again that your users actually exist. Click List All Users in order to
verify the list of users.

If you have issues with password authentication, click Reports and Activity on the lower left side of the ACS
in order to open all available reports. After you open the reports window, you have the option to open
RADIUS Accounting, Failed Attempts for login, Passed Authentications, Logged−in Users, and other reports.
These reports are .csv files, and you can open the files locally on your machine. See Figure 8. The reports help
uncover issues with authentication, such as incorrect user name and/or password. ACS also comes with online
documentation. If you are not connected to a live network and have not defined the service port, ACS uses the
IP address of your Ethernet port for your service port. If your network is not connected, you most likely end
up with the Windows 169.254.x.x default IP address.

Figure 8

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Note: If you type in any external URL, the WLC automatically connects you to the internal web
authentication page. If the automatic connection does not work, you can enter the management IP address of
the WLC in the URL bar for troubleshooting. Look at the top of the browser for the message that says to
redirect for web authentication.

Set Up the Controller for Use with a RADIUS Server

Create the WLAN for RADIUS Authentication

Complete these steps:

1. Open your WLC browser and click WLANs.

2. Create your web authentication client, as the procedure in Configure the Controller for Web
Authentication shows.
3. Under Interface Name, choose the management interface of your WLC.
4. At the bottom of the window, add the Authentication Servers.

For Authentication Servers, provide the ACS Ethernet IP address. Figure 9 provides an example:

Figure 9

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Enter Your RADIUS Server Information into the Cisco WLC

Complete these steps:

1. Click Security in the menu at the top.

2. Click Radius Authentication in the menu on the left.
3. Click Add, and enter the IP address of your ACS/RADIUS server.

Note: Be sure that the status is enabled.

4. Click Apply.
5. Be sure that the shared secret that you choose is the same one that you give the ACS.

Figure 10 provides an example:

Figure 10

Figure 11 shows a configured RADIUS server:

Note: The RADIUS server is enabled.

Figure 11

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Set Up DHCP and DNS Servers on the WLC

Complete these steps:

1. Click Controller in the menu at the top.

2. Click Internal DHCP Server in the menu on the left.
3. Click New in order to create the DHCP server parameters.
4. Enter the DHCP pool that you wish to use for your clients.

In this example, the DHCP pool is the set of addresses from 10.10.10.7 to 10.10.10.9.
5. Enter the IP address of your RADIUS server.
6. Enter the IP address of your DNS server and the DNS domain name.

Figure 12 provides an example:

Figure 12

Configure Your Windows Machine to Use Web

Authentication
In this section, you are presented with the information to configure your Windows system for web
authentication.

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Client Configuration
The Microsoft wireless client configuration remains mostly unchanged for this subscriber. You only need to
add the appropriate WLAN/SSID configuration information. Complete these steps:

1. From the Windows Start menu, choose Settings > Control Panel > Network and Internet
Connections.
2. Click the Network Connections icon.
3. Right−click the LAN Connection icon and choose Disable.
4. Right−click the Wireless Connection icon and choose Enable.
5. Right−click the Wireless Connection icon again and choose Properties.
6. From the Wireless Network Connection Properties window, click the Wireless Networks tab.
7. In order to change the Network Name (in the Preferred Network area), remove the old WLAN/SSID
and click Add&.
8. Under the Association tab, enter the Network Name (WLAN/SSID) value that you want to use for
web authentication.

Figure 13 provides an example:

Figure 13

Note: Notice that Wired Equivalent Privacy (WEP) is enabled. You must disable WEP in order for
web authentication to work.
9. Click OK at the bottom of the window in order to save the configuration.

When you communicate with the WLAN, you see a beacon icon in the Preferred Network box.

Figure 14 shows a successful wireless connection to web auth. The WLC has provided your wireless
Windows client with an IP address.

Figure 14

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Client Login
Complete these steps:

1. Open a browser window and select the virtual IP address that you set for the local authentication.

Be sure that you use the secure https://1.1.1.1/login.html.

This step is important in code that is earlier than 3.0, but the step is not necessary in later code. In
later code, any URL brings you to the web authentication page.

A security alert window displays.

2. Click Yes in order to proceed.
3. When the Login window appears, enter the user name and password of the Local Net User that you
created.

If your login is successful, you see two browser windows. Each indicates a successful login. You can
use the larger window in order to browse the Internet. Use the smaller window in order to log out
when your use of the guest network is complete.

Figure 15 shows a successful redirect for web authentication.

Figure 15

Cisco − Wireless LAN Controller Web Authentication Configuration Example

 Figure 16 shows the Login Successful window, which displays when authentication has occurred
within the ACS.

Figure 16

Configure Web Passthrough in the WLC

Web passthrough is a solution through which wireless users are redirected to an acceptable usage policy page
without having to authenticate when they connect to the Internet. This redirection is taken care of by the WLC
itself. The only requirement is to configure the WLC for web passthrough which is basically web
authentication without having to enter any credentials.

Note: This section of the configuration uses a Cisco 2000 Series WLC that runs version 4.0.

Complete these steps in order to configure web passthrough:

1. Repeat steps 1 and 2 in theAdd a WLAN Instance section of this document.

2. For Interface Name, choose the name of the VLAN interface that you created.
3. Set the Layer 2 Security appropriately for this type of subscriber. Here, the security is set to None.
4. In the Layer 3 Security area, be sure that the Web Policy check box is checked. Then choose
Passthrough and do not choose Authentication.

Figure 17

Cisco − Wireless LAN Controller Web Authentication Configuration Example

 5. Click Apply in order to save the new interface to the running configuration on the WLAN switch.
6. Review the WLAN Summary window to be sure that the WLAN/SSID (in this case, Web
Passthrough) is enabled.

The WLAN window then shows that Web Passthrough is enabled in the Security Policies column of
the VLAN table.
7. Configure your Web Login Page. In order to do this, go to the WLC GUI, choose Security, and select
Web Login Page from the left−side menu.
8. In the Web Login Page, enter whatever verbiage you require in the message field.

This message is displayed to the users during their first attempt to use the web after they connect to
this particular WLAN. When you enable Web Policy and Passthrough, it only gives the user an
Accept button. See Figure 18.

Figure 18

Cisco − Wireless LAN Controller Web Authentication Configuration Example

 9. In order to verify web passthrough, try to access any web site thorough the Internet browser once your
client is connected to this WLAN.

You are redirected to this customized acceptable usage policy. Figure 19 shows an example. Note that
you can customize this page with your own verbiage.

Figure 19

Cisco − Wireless LAN Controller Web Authentication Configuration Example

 10. Once the client verifies the policy information and clicks Accept, the client is successfully
authenticated (see Figure 20).

The client is now entitled to access the Internet. This procedure does not prompt for any credentials
from the user for authentication.

Figure 20

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Verify Internal Web Authentication
Use this section to confirm that your Internal Web Authentication configuration works properly.

The setup for web authentication is relatively straightforward. Remember to check simple attributes in your
Windows client in your wireless network connection. Under the Wireless Networks tab, look for the Use
Windows to Configure My Wireless Network setting. Be sure that this option has been checked if you use the
Windows Zero configuration. If you use a different client, be sure to refer to the documentation that came
with that client in order to set up web authentication. Verify that you can ping your virtual IP address. Also,
verify that you have specified this WLAN/SSID on the WLC, that you have enabled the WLAN/SSID, and
that it is correctly set up for web authentication.

Troubleshoot
Use this section to troubleshoot your configuration.

In order to troubleshoot your wireless connection on your PC, carry a Cisco Aironet 350 wireless card. Some
of the earlier PCs have wireless adapters that are substandard. Be sure to carry a card that you know is
reliable. Remember that this network solution if meant for use in a guest−access setting. Bear in mind that all
traffic is clear text. The only encryption comes with the user name and password that the web authentication
provides.

One of the frequent issues that is seen with web authentication is that the redirect to the web authentication
page does not work. The user does not see the web authentication window when the user opens the browser.
Instead, the user has to manually enter https://1.1.1.1/login.html in order to get to the web authentication
window. This has to do with the DNS lookup, which needs to work before the redirect to the web

Cisco − Wireless LAN Controller Web Authentication Configuration Example

authentication page occurs. If the browser homepage on the wireless client points to a domain name, you need
to be able to do nslookup successfully once the client gets associated in order for the redirect to work.

Also, for a WLC that runs a version earlier than 3.2.150.10, the way that web authentication works is that
when a user in that SSID tries to access the Internet, the management interface of the controller does a DNS
query to see if the URL is valid. If it is, then it shows the authorization page, with the Virtual Interfaces IP
address. After the user is successfully logged in, the original request is allowed to pass back to the client. This
is because of Cisco bug ID CSCsc68105 ( registered customers only) .

This issue is resolved in all later releases and any URL redirects to the web authentication window. So, if you
see that the automatic redirect does not work it can be because the WLC runs a version earlier than
3.2.150.10. In order to resolve this issue, upgrade the WLC to the latest version.

NetPro Discussion Forums − Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions,
and information about networking solutions, products, and technologies. The featured links are some of the
most recent conversations available in this technology.

NetPro Discussion Forums − Featured Conversations for Wireless

Wireless − Mobility: WLAN Radio Standards
Wireless − Mobility: Security and Network Management
Wireless − Mobility: Getting Started with Wireless
Wireless − Mobility: General

Related Information
• Cisco Wireless LAN
• Cisco Wireless LAN Controller Configuration Guide, Release 3.2 − Configuring Security
Solutions
• Technical Support & Documentation − Cisco Systems

All contents are Copyright © 1992−2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Updated: Dec 03, 2006 Document ID: 69340

Cisco − Wireless LAN Controller Web Authentication Configuration Example