Professional Documents
Culture Documents
Configuration Example
Document ID: 69340
Introduction
Prerequisites
Requirements
Components Used
Conventions
Background Information
Configure the Controller for Web Authentication
Create a VLAN Interface
Add a WLAN Instance
Reboot the WLC
Two Ways to Authenticate Users in Web Authentication
Set Up ACS
Verify ACS
Troubleshoot ACS
Set Up the Controller for Use with a RADIUS Server
Configure Your Windows Machine to Use Web Authentication
Client Configuration
Client Login
Configure Web Passthrough in the WLC
Verify Internal Web Authentication
Troubleshoot
NetPro Discussion Forums − Featured Conversations
Related Information
Introduction
This document shows you how to configure a Cisco 4000 Series Wireless LAN (WLAN) Controller (WLC) to
support a web authentication client.
Prerequisites
Requirements
This document assumes that you already have an initial configuration on the 4000 WLC.
Components Used
The information in this document is based on these software and hardware versions:
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background Information
Web authentication is typically used by customers who want to deploy a guest−access network. In a
guest−access network, there is initial user name and password authentication, but security is not required for
the subsequent traffic. Typical deployments can include "hot spot" locations such as T−Mobile or Starbucks.
Web authentication for the Cisco WLC is done locally. You create an interface and then associate a
WLAN/service set identifier (SSID) with that interface.
Web authentication provides simple authentication without a supplicant or client. Keep in mind that web
authentication does not provide data encryption. Web authentication is typically used as simple guest access
for either a "hot spot" or campus atmosphere where the only concern is the connectivity.
The configuration in this document provides an open connection to a user that requires a name/password
security exchange. In order to provide that support, you must create a new WLAN interface that provides a
WLAN/SSID for the web authentication clients to use. If you have not created a VLAN interface that allows
web authentication, you can either use the management interface or create a new VLAN interface. The
Configure the Controller for Web Authentication section of this document provides the procedure to create a
new VLAN interface.
1. In the main Controller window, choose Controller from the menu at the top, choose Interfaces from
the menu on the left, and click New on the upper right side of the window.
The window in Figure 1 appears. This example uses Interface Name vlan90 with a VLAN ID of 90:
Figure 1
♦ IP Address90.90.90.22
♦ Netmask¢55.255.255.0 (24 bits)
♦ Gateway90.90.90.1
♦ Port Number¡
♦ Primary DHCP Server¡0.9.4.10
Note: This parameter should be the IP address of your RADIUS or DHCP server.
♦ Secondary DHCP Server .0.0.0
Note: The example does not have a secondary DHCP server, so uses 0.0.0.0. If your
configuration has a secondary DHCP server, add the server IP address in this field.
♦ ACL NameNone
Figure 2 shows these parameters:
Figure 2
1. Open the WLC browser, click WLAN in the menu at the top, and click New on the upper right side.
Figure 3 shows the WLAN ID that you need to create and the WLAN that is associated with the web
authentication. This example uses VLAN ID 1 and WLAN SSID webauth. You can use whatever
WLAN you choose.
Figure 3
2. Supply the information that this window requires and click Apply in order to save the new interface.
Figure 4
Note: Leave the default value for any parameter that this procedure does not explicitly mention.
a. For Interface Name, select from the menu the name of the VLAN interface that you created.
You return to the WLAN window. In this case, the window shows that web−auth is enabled
in the Security Policies column of the VLAN table.
1. In the main Controller window, choose Commands in the menu at the top.
2. In the new window, choose Reboot in the menu on the left.
You are prompted to save and reboot if there are unsaved changes in your configuration.
3. Click Save and Reboot in order to save the configuration and reboot the switch.
4. Monitor your system reboot from the console connection.
When the WLC is up, you can create your web authentication subscriber.
Local Authentication
Local authentication allows the local authentication of the user to the WLC. You must create a Local Net User
and define a password for web authentication client login.
1. Choose Security in the menu at the top in order to go to the Security window on your WLC.
2. Choose Local Net Users from the AAA menu on the left.
Figure 5
3. Click New on the upper left side in order to create a new user.
A new window displays that asks for user name and password information.
4. In order to create a new user, provide the User Name and Password, and confirm the password that
you want to use.
In this example, the VLAN ID is 1. This ID is the ID that you created when you created the
WLAN/SSID in the Add a WLAN Instance section of this document.
6. Add a description, if you choose.
Figure 6
This document uses a wireless ACS on Windows 2000 Server as the RADIUS server. You can use any
available RADIUS server that you currently deploy in your network.
Note: You can set up ACS on either Windows NT or Windows 2000 Server. In order to download ACS from
Cisco.com, refer to Software Center (Downloads) − Cisco Secure Software ( registered customers only) . You need
a Cisco web account in order to download the software.
When web authentication is done through a RADIUS server, the first query for authentication is attempted
locally at the WLC. If there is no response at the WLC, the second query goes out to a RADIUS server. The
Set Up ACS section shows you how to configure ACS for RADIUS. You must have a fully functional
network with a Domain Name System (DNS) and a RADIUS server.
Set Up ACS
In this section, you are presented with the information to set up ACS for RADIUS.
Set up ACS on your server, and then complete these steps in order to create a user for authentication:
1. When ACS asks if you want to open ACS in a browser window to configure, click yes.
Note: After you set up ACS, you also have an icon on your desktop.
2. In the menu on the left, click User Setup.
Verify ACS
In order to verify that you have set up ACS correctly, click Network Configuration on the left panel of the
ACS. Figure 7 is an example of what you see:
Figure 7
Troubleshoot ACS
When you set up ACS, remember to download all the current patches and latest code. This should solve
impending issues. Be sure that the users that you have created show up under Network Configurations. And,
when you choose User Setup, verify again that your users actually exist. Click List All Users in order to
verify the list of users.
If you have issues with password authentication, click Reports and Activity on the lower left side of the ACS
in order to open all available reports. After you open the reports window, you have the option to open
RADIUS Accounting, Failed Attempts for login, Passed Authentications, Logged−in Users, and other reports.
These reports are .csv files, and you can open the files locally on your machine. See Figure 8. The reports help
uncover issues with authentication, such as incorrect user name and/or password. ACS also comes with online
documentation. If you are not connected to a live network and have not defined the service port, ACS uses the
IP address of your Ethernet port for your service port. If your network is not connected, you most likely end
up with the Windows 169.254.x.x default IP address.
Figure 8
For Authentication Servers, provide the ACS Ethernet IP address. Figure 9 provides an example:
Figure 9
Figure 10
Figure 11
In this example, the DHCP pool is the set of addresses from 10.10.10.7 to 10.10.10.9.
5. Enter the IP address of your RADIUS server.
6. Enter the IP address of your DNS server and the DNS domain name.
Figure 12
1. From the Windows Start menu, choose Settings > Control Panel > Network and Internet
Connections.
2. Click the Network Connections icon.
3. Right−click the LAN Connection icon and choose Disable.
4. Right−click the Wireless Connection icon and choose Enable.
5. Right−click the Wireless Connection icon again and choose Properties.
6. From the Wireless Network Connection Properties window, click the Wireless Networks tab.
7. In order to change the Network Name (in the Preferred Network area), remove the old WLAN/SSID
and click Add&.
8. Under the Association tab, enter the Network Name (WLAN/SSID) value that you want to use for
web authentication.
Figure 13
Note: Notice that Wired Equivalent Privacy (WEP) is enabled. You must disable WEP in order for
web authentication to work.
9. Click OK at the bottom of the window in order to save the configuration.
When you communicate with the WLAN, you see a beacon icon in the Preferred Network box.
Figure 14 shows a successful wireless connection to web auth. The WLC has provided your wireless
Windows client with an IP address.
Figure 14
1. Open a browser window and select the virtual IP address that you set for the local authentication.
This step is important in code that is earlier than 3.0, but the step is not necessary in later code. In
later code, any URL brings you to the web authentication page.
If your login is successful, you see two browser windows. Each indicates a successful login. You can
use the larger window in order to browse the Internet. Use the smaller window in order to log out
when your use of the guest network is complete.
Figure 15
Figure 16
Note: This section of the configuration uses a Cisco 2000 Series WLC that runs version 4.0.
Figure 17
The WLAN window then shows that Web Passthrough is enabled in the Security Policies column of
the VLAN table.
7. Configure your Web Login Page. In order to do this, go to the WLC GUI, choose Security, and select
Web Login Page from the left−side menu.
8. In the Web Login Page, enter whatever verbiage you require in the message field.
This message is displayed to the users during their first attempt to use the web after they connect to
this particular WLAN. When you enable Web Policy and Passthrough, it only gives the user an
Accept button. See Figure 18.
Figure 18
You are redirected to this customized acceptable usage policy. Figure 19 shows an example. Note that
you can customize this page with your own verbiage.
Figure 19
The client is now entitled to access the Internet. This procedure does not prompt for any credentials
from the user for authentication.
Figure 20
The setup for web authentication is relatively straightforward. Remember to check simple attributes in your
Windows client in your wireless network connection. Under the Wireless Networks tab, look for the Use
Windows to Configure My Wireless Network setting. Be sure that this option has been checked if you use the
Windows Zero configuration. If you use a different client, be sure to refer to the documentation that came
with that client in order to set up web authentication. Verify that you can ping your virtual IP address. Also,
verify that you have specified this WLAN/SSID on the WLC, that you have enabled the WLAN/SSID, and
that it is correctly set up for web authentication.
Troubleshoot
Use this section to troubleshoot your configuration.
In order to troubleshoot your wireless connection on your PC, carry a Cisco Aironet 350 wireless card. Some
of the earlier PCs have wireless adapters that are substandard. Be sure to carry a card that you know is
reliable. Remember that this network solution if meant for use in a guest−access setting. Bear in mind that all
traffic is clear text. The only encryption comes with the user name and password that the web authentication
provides.
One of the frequent issues that is seen with web authentication is that the redirect to the web authentication
page does not work. The user does not see the web authentication window when the user opens the browser.
Instead, the user has to manually enter https://1.1.1.1/login.html in order to get to the web authentication
window. This has to do with the DNS lookup, which needs to work before the redirect to the web
Also, for a WLC that runs a version earlier than 3.2.150.10, the way that web authentication works is that
when a user in that SSID tries to access the Internet, the management interface of the controller does a DNS
query to see if the URL is valid. If it is, then it shows the authorization page, with the Virtual Interfaces IP
address. After the user is successfully logged in, the original request is allowed to pass back to the client. This
is because of Cisco bug ID CSCsc68105 ( registered customers only) .
This issue is resolved in all later releases and any URL redirects to the web authentication window. So, if you
see that the automatic redirect does not work it can be because the WLC runs a version earlier than
3.2.150.10. In order to resolve this issue, upgrade the WLC to the latest version.
Related Information
• Cisco Wireless LAN
• Cisco Wireless LAN Controller Configuration Guide, Release 3.2 − Configuring Security
Solutions
• Technical Support & Documentation − Cisco Systems
All contents are Copyright © 1992−2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.