web auth config

Wireless LAN Controller Web AuthenticationConfiguration Example

Document ID: 69340

IntroductionPrerequisites Requirements Components Used ConventionsBackground InformationConfigure the Controller for Web Authentication Create a VLAN Interface Add a WLAN Instance Reboot the WLC Two Ways to Authenticate Users in Web AuthenticationSet Up ACS Verify ACS Troubleshoot ACS Set Up the Controller for Use with a RADIUS ServerConfigure Your Windows Machine to Use Web Authentication Client Configuration Client LoginConfigure Web Passthrough in the WLCVerify Internal Web AuthenticationTroubleshootNetPro Discussion Forums − Featured ConversationsRelated Information

Introduction

This document shows you how to configure a Cisco 4000 Series Wireless LAN (WLAN) Controller (WLC) tosupport a web authentication client.

Prerequisites

Requirements

This document assumes that you already have an initial configuration on the 4000 WLC.

Components Used

The information in this document is based on these software and hardware versions:

A 4012 WLC that runs 3.1.59.24 code• Wireless Access Control Server (ACS) on Microsoft Windows 2000 Server• Cisco Aironet 1000 Series•

Cisco − Wireless LAN Controller Web Authentication Configuration Example

The information in this document was created from the devices in a specific lab environment. All of thedevices used in this document started with a cleared (default) configuration. If your network is live, make surethat you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information

Web authentication is typically used by customers who want to deploy a guest−access network. In aguest−access network, there is initial user name and password authentication, but security is not required forthe subsequent traffic. Typical deployments can include "hot spot" locations such as T−Mobile or Starbucks.

Web authentication for the Cisco WLC is done locally. You create an interface and then associate aWLAN/service set identifier (SSID) with that interface.

Web authentication provides simple authentication without a supplicant or client. Keep in mind that webauthentication does not provide data encryption. Web authentication is typically used as simple guest accessfor either a "hot spot" or campus atmosphere where the only concern is the connectivity.

The configuration in this document provides an open connection to a user that requires a name/passwordsecurity exchange. In order to provide that support, you must create a new WLAN interface that provides aWLAN/SSID for the web authentication clients to use. If you have not created a VLAN interface that allowsweb authentication, you can either use the management interface or create a new VLAN interface. TheConfigure the Controller for Web Authentication section of this document provides the procedure to create anew VLAN interface.

Configure the Controller for Web Authentication

In this section, you are presented with the information to configure the controller for web authentication.

Create a VLAN Interface

Complete these steps:

In the main Controller window, choose Controller from the menu at the top, choose Interfaces fromthe menu on the left, and click New on the upper right side of the window.

The window in Figure 1 appears. This example uses Interface Name vlan90 with a VLAN ID of 90:

Figure 1

1.


Click Apply in order to create the VLAN interface.

A new window appears that asks you to fill in some information.

2.

Add these parameters to the VLAN interface:

IP Address�90.90.90.22♦ Netmask¢55.255.255.0 (24 bits)♦ Gateway�90.90.90.1♦ Port Number¡♦ Primary DHCP Server¡0.9.4.10

Note: This parameter should be the IP address of your RADIUS or DHCP server.

♦

Secondary DHCP Server .0.0.0

Note: The example does not have a secondary DHCP server, so uses 0.0.0.0. If yourconfiguration has a secondary DHCP server, add the server IP address in this field.

♦

ACL Name�None♦ Figure 2 shows these parameters:

Figure 2

3.

Click Apply in order to save the changes.4.


Add a WLAN Instance

Now that you have a VLAN interface that is dedicated for web authentication, you must provide a newWLAN WLAN/SSID in order to support the web authentication users. You can set up the WLAN/SSID witha previously configured VLAN or management interface. Or, if no interface has been created, you must createa WLAN interface.


Open the WLC browser, click WLAN in the menu at the top, and click New on the upper right side.

Figure 3 shows the WLAN ID that you need to create and the WLAN that is associated with the webauthentication. This example uses VLAN ID 1 and WLAN SSID webauth. You can use whateverWLAN you choose.

Figure 3

1.

Supply the information that this window requires and click Apply in order to save the new interface.

A new WLAN Edit window appears, as Figure 4 shows.

Figure 4

2.


Complete these steps in order to select the parameters in this window:

Note: Leave the default value for any parameter that this procedure does not explicitly mention.

For Interface Name, select from the menu the name of the VLAN interface that you created.

In this example, the Interface Name is vlan90.

a.

Set the Layer 2 Security appropriately for this type of subscriber.

Here, the security is set to None.

b.

In the Layer 3 Security area, be sure that the Web Policy check box is checked.

Note: This is a different window in code that is earlier than 3.0.

c.

Be sure that Authentication is selected (and not Passthrough).d. Click Apply in order to save the new interface to the running configuration on the WLANswitch.

e.

Review the WLAN Summary window to be sure that the WLAN/SSID (in this case,web−auth) is enabled.

You return to the WLAN window. In this case, the window shows that web−auth is enabledin the Security Policies column of the VLAN table.

f.

3.

Reboot the WLC

You must reboot the WLC because one or more of the WLAN changes cannot be made while the system isactive. The changes must be made before or during the boot. Complete these steps in order to reboot theWLC:

In the main Controller window, choose Commands in the menu at the top.1. In the new window, choose Reboot in the menu on the left.

You are prompted to save and reboot if there are unsaved changes in your configuration.

2.

Click Save and Reboot in order to save the configuration and reboot the switch.3. Monitor your system reboot from the console connection.

When the WLC is up, you can create your web authentication subscriber.

4.


Two Ways to Authenticate Users in Web Authentication

There are two ways to authenticate when you use web authentication. Local authentication allows you toauthenticate the user in the Cisco WLC. You can also use wireless ACS/RADIUS in order to authenticateyour users. In order to configure local authentication within the WLC, complete these steps:

Local Authentication

Local authentication allows the local authentication of the user to the WLC. You must create a Local Net Userand define a password for web authentication client login.

Choose Security in the menu at the top in order to go to the Security window on your WLC.1. Choose Local Net Users from the AAA menu on the left.

Figure 5 provides an example:

Figure 5

2.

Click New on the upper left side in order to create a new user.

A new window displays that asks for user name and password information.

3.

In order to create a new user, provide the User Name and Password, and confirm the password thatyou want to use.

This example creates the user karjames.

4.

Verify that you have assigned the correct WLAN ID.

In this example, the VLAN ID is 1. This ID is the ID that you created when you created theWLAN/SSID in the Add a WLAN Instance section of this document.

5.

Add a description, if you choose.

This example uses Web Auth.

6.

Click Apply in order to save the new user configuration.

Figure 6 provides the example parameters:

Figure 6

7.


RADIUS Server for Web Authentication

This document uses a wireless ACS on Windows 2000 Server as the RADIUS server. You can use anyavailable RADIUS server that you currently deploy in your network.

Note: You can set up ACS on either Windows NT or Windows 2000 Server. In order to download ACS fromCisco.com, refer to Software Center (Downloads) − Cisco Secure Software ( registered customers only) . You needa Cisco web account in order to download the software.

When web authentication is done through a RADIUS server, the first query for authentication is attemptedlocally at the WLC. If there is no response at the WLC, the second query goes out to a RADIUS server. TheSet Up ACS section shows you how to configure ACS for RADIUS. You must have a fully functionalnetwork with a Domain Name System (DNS) and a RADIUS server.

Set Up ACS

In this section, you are presented with the information to set up ACS for RADIUS.

Set up ACS on your server, and then complete these steps in order to create a user for authentication:

When ACS asks if you want to open ACS in a browser window to configure, click yes.

Note: After you set up ACS, you also have an icon on your desktop.

1.

In the menu on the left, click User Setup.

This action takes you to User Setup.

2.

Enter the user that you want to use for web authentication, and click Add.

After the user is created, a second window opens.

3.

Be sure that the user is set as enabled.4. Be sure that the Password Authentication is Cisco Secure Database.5. Provide the password twice.6. After the user is created, be sure that you have chosen RADIUS Cisco Aironet as the type of service.

Note: TACACS+ is the default.

7.


Note: The user names and passwords in the ACS should be the same as the ones that you configuredin the WLC.

Verify ACS

In order to verify that you have set up ACS correctly, click Network Configuration on the left panel of theACS. Figure 7 is an example of what you see:

Figure 7

Troubleshoot ACS

When you set up ACS, remember to download all the current patches and latest code. This should solveimpending issues. Be sure that the users that you have created show up under Network Configurations. And,when you choose User Setup, verify again that your users actually exist. Click List All Users in order toverify the list of users.

If you have issues with password authentication, click Reports and Activity on the lower left side of the ACSin order to open all available reports. After you open the reports window, you have the option to openRADIUS Accounting, Failed Attempts for login, Passed Authentications, Logged−in Users, and other reports.These reports are .csv files, and you can open the files locally on your machine. See Figure 8. The reports helpuncover issues with authentication, such as incorrect user name and/or password. ACS also comes with onlinedocumentation. If you are not connected to a live network and have not defined the service port, ACS uses theIP address of your Ethernet port for your service port. If your network is not connected, you most likely endup with the Windows 169.254.x.x default IP address.

Figure 8


Note: If you type in any external URL, the WLC automatically connects you to the internal webauthentication page. If the automatic connection does not work, you can enter the management IP address ofthe WLC in the URL bar for troubleshooting. Look at the top of the browser for the message that says toredirect for web authentication.

Set Up the Controller for Use with a RADIUS Server

Create the WLAN for RADIUS Authentication


Open your WLC browser and click WLANs.1. Create your web authentication client, as the procedure in Configure the Controller for WebAuthentication shows.

2.

Under Interface Name, choose the management interface of your WLC.3. At the bottom of the window, add the Authentication Servers.

For Authentication Servers, provide the ACS Ethernet IP address. Figure 9 provides an example:

Figure 9

4.


Enter Your RADIUS Server Information into the Cisco WLC


Click Security in the menu at the top.1. Click Radius Authentication in the menu on the left.2. Click Add, and enter the IP address of your ACS/RADIUS server.

Note: Be sure that the status is enabled.

3.

Click Apply.4. Be sure that the shared secret that you choose is the same one that you give the ACS.


Figure 10

Figure 11 shows a configured RADIUS server:

Note: The RADIUS server is enabled.

Figure 11

5.


Set Up DHCP and DNS Servers on the WLC


Click Controller in the menu at the top.1. Click Internal DHCP Server in the menu on the left.2. Click New in order to create the DHCP server parameters.3. Enter the DHCP pool that you wish to use for your clients.

In this example, the DHCP pool is the set of addresses from 10.10.10.7 to 10.10.10.9.

4.

Enter the IP address of your RADIUS server.5. Enter the IP address of your DNS server and the DNS domain name.


Figure 12

6.

Configure Your Windows Machine to Use WebAuthentication

In this section, you are presented with the information to configure your Windows system for webauthentication.


Client Configuration

The Microsoft wireless client configuration remains mostly unchanged for this subscriber. You only need toadd the appropriate WLAN/SSID configuration information. Complete these steps:

From the Windows Start menu, choose Settings > Control Panel > Network and InternetConnections.

1.

Click the Network Connections icon.2. Right−click the LAN Connection icon and choose Disable.3. Right−click the Wireless Connection icon and choose Enable.4. Right−click the Wireless Connection icon again and choose Properties.5. From the Wireless Network Connection Properties window, click the Wireless Networks tab.6. In order to change the Network Name (in the Preferred Network area), remove the old WLAN/SSIDand click Add&.

7.

Under the Association tab, enter the Network Name (WLAN/SSID) value that you want to use forweb authentication.


Figure 13

Note: Notice that Wired Equivalent Privacy (WEP) is enabled. You must disable WEP in order forweb authentication to work.

8.

Click OK at the bottom of the window in order to save the configuration.

When you communicate with the WLAN, you see a beacon icon in the Preferred Network box.

9.

Figure 14 shows a successful wireless connection to web auth. The WLC has provided your wirelessWindows client with an IP address.

Figure 14


Client Login


Open a browser window and select the virtual IP address that you set for the local authentication.

Be sure that you use the secure https://1.1.1.1/login.html.

This step is important in code that is earlier than 3.0, but the step is not necessary in later code. Inlater code, any URL brings you to the web authentication page.

A security alert window displays.

1.

Click Yes in order to proceed.2. When the Login window appears, enter the user name and password of the Local Net User that youcreated.

If your login is successful, you see two browser windows. Each indicates a successful login. You canuse the larger window in order to browse the Internet. Use the smaller window in order to log outwhen your use of the guest network is complete.

Figure 15 shows a successful redirect for web authentication.

Figure 15

3.


Figure 16 shows the Login Successful window, which displays when authentication has occurredwithin the ACS.

Figure 16

Configure Web Passthrough in the WLC

Web passthrough is a solution through which wireless users are redirected to an acceptable usage policy pagewithout having to authenticate when they connect to the Internet. This redirection is taken care of by the WLCitself. The only requirement is to configure the WLC for web passthrough which is basically webauthentication without having to enter any credentials.

Note: This section of the configuration uses a Cisco 2000 Series WLC that runs version 4.0.

Complete these steps in order to configure web passthrough:

Repeat steps 1 and 2 in theAdd a WLAN Instance section of this document.1. For Interface Name, choose the name of the VLAN interface that you created.2. Set the Layer 2 Security appropriately for this type of subscriber. Here, the security is set to None.3. In the Layer 3 Security area, be sure that the Web Policy check box is checked. Then choosePassthrough and do not choose Authentication.

Figure 17

4.


Click Apply in order to save the new interface to the running configuration on the WLAN switch.5. Review the WLAN Summary window to be sure that the WLAN/SSID (in this case, WebPassthrough) is enabled.

The WLAN window then shows that Web Passthrough is enabled in the Security Policies column ofthe VLAN table.

6.

Configure your Web Login Page. In order to do this, go to the WLC GUI, choose Security, and selectWeb Login Page from the left−side menu.

7.

In the Web Login Page, enter whatever verbiage you require in the message field.

This message is displayed to the users during their first attempt to use the web after they connect tothis particular WLAN. When you enable Web Policy and Passthrough, it only gives the user anAccept button. See Figure 18.

Figure 18

8.


In order to verify web passthrough, try to access any web site thorough the Internet browser once yourclient is connected to this WLAN.

You are redirected to this customized acceptable usage policy. Figure 19 shows an example. Note thatyou can customize this page with your own verbiage.

Figure 19

9.


Once the client verifies the policy information and clicks Accept, the client is successfullyauthenticated (see Figure 20).

The client is now entitled to access the Internet. This procedure does not prompt for any credentialsfrom the user for authentication.

Figure 20

10.


Verify Internal Web Authentication

Use this section to confirm that your Internal Web Authentication configuration works properly.

The setup for web authentication is relatively straightforward. Remember to check simple attributes in yourWindows client in your wireless network connection. Under the Wireless Networks tab, look for the UseWindows to Configure My Wireless Network setting. Be sure that this option has been checked if you use theWindows Zero configuration. If you use a different client, be sure to refer to the documentation that camewith that client in order to set up web authentication. Verify that you can ping your virtual IP address. Also,verify that you have specified this WLAN/SSID on the WLC, that you have enabled the WLAN/SSID, andthat it is correctly set up for web authentication.

Troubleshoot

Use this section to troubleshoot your configuration.

In order to troubleshoot your wireless connection on your PC, carry a Cisco Aironet 350 wireless card. Someof the earlier PCs have wireless adapters that are substandard. Be sure to carry a card that you know isreliable. Remember that this network solution if meant for use in a guest−access setting. Bear in mind that alltraffic is clear text. The only encryption comes with the user name and password that the web authenticationprovides.

One of the frequent issues that is seen with web authentication is that the redirect to the web authenticationpage does not work. The user does not see the web authentication window when the user opens the browser.Instead, the user has to manually enter https://1.1.1.1/login.html in order to get to the web authenticationwindow. This has to do with the DNS lookup, which needs to work before the redirect to the web


authentication page occurs. If the browser homepage on the wireless client points to a domain name, you needto be able to do nslookup successfully once the client gets associated in order for the redirect to work.

Also, for a WLC that runs a version earlier than 3.2.150.10, the way that web authentication works is thatwhen a user in that SSID tries to access the Internet, the management interface of the controller does a DNSquery to see if the URL is valid. If it is, then it shows the authorization page, with the Virtual Interfaces IPaddress. After the user is successfully logged in, the original request is allowed to pass back to the client. Thisis because of Cisco bug ID CSCsc68105 ( registered customers only) .

This issue is resolved in all later releases and any URL redirects to the web authentication window. So, if yousee that the automatic redirect does not work it can be because the WLC runs a version earlier than3.2.150.10. In order to resolve this issue, upgrade the WLC to the latest version.

NetPro Discussion Forums − Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions,and information about networking solutions, products, and technologies. The featured links are some of themost recent conversations available in this technology.

NetPro Discussion Forums − Featured Conversations for Wireless

Wireless − Mobility: WLAN Radio Standards

Wireless − Mobility: Security and Network Management

Wireless − Mobility: Getting Started with Wireless

Wireless − Mobility: General

Related Information

Cisco Wireless LAN• Cisco Wireless LAN Controller Configuration Guide, Release 3.2 − Configuring SecuritySolutions

•

Technical Support & Documentation − Cisco Systems•

All contents are Copyright © 1992−2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Updated: Dec 03, 2006 Document ID: 69340


web auth config

Documents

wireless wireless mobility

wireless networks tab

security policies column

virtual ip address

wireless connection icon

secondary dhcp server

web login page

web authentication page