Web Auth Config

  • October 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Web Auth Config as PDF for free.

More details

  • Words: 3,796
  • Pages: 19
Wireless LAN Controller Web Authentication Configuration Example Document ID: 69340 Introduction Prerequisites Requirements Components Used Conventions Background Information Configure the Controller for Web Authentication Create a VLAN Interface Add a WLAN Instance Reboot the WLC Two Ways to Authenticate Users in Web Authentication Set Up ACS Verify ACS Troubleshoot ACS Set Up the Controller for Use with a RADIUS Server Configure Your Windows Machine to Use Web Authentication Client Configuration Client Login Configure Web Passthrough in the WLC Verify Internal Web Authentication Troubleshoot NetPro Discussion Forums − Featured Conversations Related Information

Introduction This document shows you how to configure a Cisco 4000 Series Wireless LAN (WLAN) Controller (WLC) to support a web authentication client.

Prerequisites Requirements This document assumes that you already have an initial configuration on the 4000 WLC.

Components Used The information in this document is based on these software and hardware versions: • A 4012 WLC that runs 3.1.59.24 code • Wireless Access Control Server (ACS) on Microsoft Windows 2000 Server • Cisco Aironet 1000 Series

Cisco − Wireless LAN Controller Web Authentication Configuration Example

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information Web authentication is typically used by customers who want to deploy a guest−access network. In a guest−access network, there is initial user name and password authentication, but security is not required for the subsequent traffic. Typical deployments can include "hot spot" locations such as T−Mobile or Starbucks. Web authentication for the Cisco WLC is done locally. You create an interface and then associate a WLAN/service set identifier (SSID) with that interface. Web authentication provides simple authentication without a supplicant or client. Keep in mind that web authentication does not provide data encryption. Web authentication is typically used as simple guest access for either a "hot spot" or campus atmosphere where the only concern is the connectivity. The configuration in this document provides an open connection to a user that requires a name/password security exchange. In order to provide that support, you must create a new WLAN interface that provides a WLAN/SSID for the web authentication clients to use. If you have not created a VLAN interface that allows web authentication, you can either use the management interface or create a new VLAN interface. The Configure the Controller for Web Authentication section of this document provides the procedure to create a new VLAN interface.

Configure the Controller for Web Authentication In this section, you are presented with the information to configure the controller for web authentication.

Create a VLAN Interface Complete these steps: 1. In the main Controller window, choose Controller from the menu at the top, choose Interfaces from the menu on the left, and click New on the upper right side of the window. The window in Figure 1 appears. This example uses Interface Name vlan90 with a VLAN ID of 90: Figure 1

Cisco − Wireless LAN Controller Web Authentication Configuration Example

2. Click Apply in order to create the VLAN interface. A new window appears that asks you to fill in some information. 3. Add these parameters to the VLAN interface: ♦ IP Address90.90.90.22 ♦ Netmask¢55.255.255.0 (24 bits) ♦ Gateway90.90.90.1 ♦ Port Number¡ ♦ Primary DHCP Server¡0.9.4.10 Note: This parameter should be the IP address of your RADIUS or DHCP server. ♦ Secondary DHCP Server .0.0.0 Note: The example does not have a secondary DHCP server, so uses 0.0.0.0. If your configuration has a secondary DHCP server, add the server IP address in this field. ♦ ACL NameNone Figure 2 shows these parameters: Figure 2

4. Click Apply in order to save the changes.

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Add a WLAN Instance Now that you have a VLAN interface that is dedicated for web authentication, you must provide a new WLAN WLAN/SSID in order to support the web authentication users. You can set up the WLAN/SSID with a previously configured VLAN or management interface. Or, if no interface has been created, you must create a WLAN interface. Complete these steps: 1. Open the WLC browser, click WLAN in the menu at the top, and click New on the upper right side. Figure 3 shows the WLAN ID that you need to create and the WLAN that is associated with the web authentication. This example uses VLAN ID 1 and WLAN SSID webauth. You can use whatever WLAN you choose. Figure 3

2. Supply the information that this window requires and click Apply in order to save the new interface. A new WLAN Edit window appears, as Figure 4 shows. Figure 4

Cisco − Wireless LAN Controller Web Authentication Configuration Example

3. Complete these steps in order to select the parameters in this window: Note: Leave the default value for any parameter that this procedure does not explicitly mention. a. For Interface Name, select from the menu the name of the VLAN interface that you created. In this example, the Interface Name is vlan90. b. Set the Layer 2 Security appropriately for this type of subscriber. Here, the security is set to None. c. In the Layer 3 Security area, be sure that the Web Policy check box is checked. Note: This is a different window in code that is earlier than 3.0. d. Be sure that Authentication is selected (and not Passthrough). e. Click Apply in order to save the new interface to the running configuration on the WLAN switch. f. Review the WLAN Summary window to be sure that the WLAN/SSID (in this case, web−auth) is enabled. You return to the WLAN window. In this case, the window shows that web−auth is enabled in the Security Policies column of the VLAN table.

Reboot the WLC You must reboot the WLC because one or more of the WLAN changes cannot be made while the system is active. The changes must be made before or during the boot. Complete these steps in order to reboot the WLC: 1. In the main Controller window, choose Commands in the menu at the top. 2. In the new window, choose Reboot in the menu on the left. You are prompted to save and reboot if there are unsaved changes in your configuration. 3. Click Save and Reboot in order to save the configuration and reboot the switch. 4. Monitor your system reboot from the console connection. When the WLC is up, you can create your web authentication subscriber.

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Two Ways to Authenticate Users in Web Authentication There are two ways to authenticate when you use web authentication. Local authentication allows you to authenticate the user in the Cisco WLC. You can also use wireless ACS/RADIUS in order to authenticate your users. In order to configure local authentication within the WLC, complete these steps: Local Authentication Local authentication allows the local authentication of the user to the WLC. You must create a Local Net User and define a password for web authentication client login. 1. Choose Security in the menu at the top in order to go to the Security window on your WLC. 2. Choose Local Net Users from the AAA menu on the left. Figure 5 provides an example: Figure 5

3. Click New on the upper left side in order to create a new user. A new window displays that asks for user name and password information. 4. In order to create a new user, provide the User Name and Password, and confirm the password that you want to use. This example creates the user karjames. 5. Verify that you have assigned the correct WLAN ID. In this example, the VLAN ID is 1. This ID is the ID that you created when you created the WLAN/SSID in the Add a WLAN Instance section of this document. 6. Add a description, if you choose. This example uses Web Auth. 7. Click Apply in order to save the new user configuration. Figure 6 provides the example parameters: Figure 6

Cisco − Wireless LAN Controller Web Authentication Configuration Example

RADIUS Server for Web Authentication This document uses a wireless ACS on Windows 2000 Server as the RADIUS server. You can use any available RADIUS server that you currently deploy in your network. Note: You can set up ACS on either Windows NT or Windows 2000 Server. In order to download ACS from Cisco.com, refer to Software Center (Downloads) − Cisco Secure Software ( registered customers only) . You need a Cisco web account in order to download the software. When web authentication is done through a RADIUS server, the first query for authentication is attempted locally at the WLC. If there is no response at the WLC, the second query goes out to a RADIUS server. The Set Up ACS section shows you how to configure ACS for RADIUS. You must have a fully functional network with a Domain Name System (DNS) and a RADIUS server.

Set Up ACS In this section, you are presented with the information to set up ACS for RADIUS. Set up ACS on your server, and then complete these steps in order to create a user for authentication: 1. When ACS asks if you want to open ACS in a browser window to configure, click yes. Note: After you set up ACS, you also have an icon on your desktop. 2. In the menu on the left, click User Setup. This action takes you to User Setup. 3. Enter the user that you want to use for web authentication, and click Add. After the user is created, a second window opens. 4. Be sure that the user is set as enabled. 5. Be sure that the Password Authentication is Cisco Secure Database. 6. Provide the password twice. 7. After the user is created, be sure that you have chosen RADIUS Cisco Aironet as the type of service. Note: TACACS+ is the default.

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Note: The user names and passwords in the ACS should be the same as the ones that you configured in the WLC.

Verify ACS In order to verify that you have set up ACS correctly, click Network Configuration on the left panel of the ACS. Figure 7 is an example of what you see: Figure 7

Troubleshoot ACS When you set up ACS, remember to download all the current patches and latest code. This should solve impending issues. Be sure that the users that you have created show up under Network Configurations. And, when you choose User Setup, verify again that your users actually exist. Click List All Users in order to verify the list of users. If you have issues with password authentication, click Reports and Activity on the lower left side of the ACS in order to open all available reports. After you open the reports window, you have the option to open RADIUS Accounting, Failed Attempts for login, Passed Authentications, Logged−in Users, and other reports. These reports are .csv files, and you can open the files locally on your machine. See Figure 8. The reports help uncover issues with authentication, such as incorrect user name and/or password. ACS also comes with online documentation. If you are not connected to a live network and have not defined the service port, ACS uses the IP address of your Ethernet port for your service port. If your network is not connected, you most likely end up with the Windows 169.254.x.x default IP address. Figure 8

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Note: If you type in any external URL, the WLC automatically connects you to the internal web authentication page. If the automatic connection does not work, you can enter the management IP address of the WLC in the URL bar for troubleshooting. Look at the top of the browser for the message that says to redirect for web authentication.

Set Up the Controller for Use with a RADIUS Server Create the WLAN for RADIUS Authentication Complete these steps: 1. Open your WLC browser and click WLANs. 2. Create your web authentication client, as the procedure in Configure the Controller for Web Authentication shows. 3. Under Interface Name, choose the management interface of your WLC. 4. At the bottom of the window, add the Authentication Servers. For Authentication Servers, provide the ACS Ethernet IP address. Figure 9 provides an example: Figure 9

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Enter Your RADIUS Server Information into the Cisco WLC Complete these steps: 1. Click Security in the menu at the top. 2. Click Radius Authentication in the menu on the left. 3. Click Add, and enter the IP address of your ACS/RADIUS server. Note: Be sure that the status is enabled. 4. Click Apply. 5. Be sure that the shared secret that you choose is the same one that you give the ACS. Figure 10 provides an example: Figure 10

Figure 11 shows a configured RADIUS server: Note: The RADIUS server is enabled. Figure 11

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Set Up DHCP and DNS Servers on the WLC Complete these steps: 1. Click Controller in the menu at the top. 2. Click Internal DHCP Server in the menu on the left. 3. Click New in order to create the DHCP server parameters. 4. Enter the DHCP pool that you wish to use for your clients. In this example, the DHCP pool is the set of addresses from 10.10.10.7 to 10.10.10.9. 5. Enter the IP address of your RADIUS server. 6. Enter the IP address of your DNS server and the DNS domain name. Figure 12 provides an example: Figure 12

Configure Your Windows Machine to Use Web Authentication In this section, you are presented with the information to configure your Windows system for web authentication.

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Client Configuration The Microsoft wireless client configuration remains mostly unchanged for this subscriber. You only need to add the appropriate WLAN/SSID configuration information. Complete these steps: 1. From the Windows Start menu, choose Settings > Control Panel > Network and Internet Connections. 2. Click the Network Connections icon. 3. Right−click the LAN Connection icon and choose Disable. 4. Right−click the Wireless Connection icon and choose Enable. 5. Right−click the Wireless Connection icon again and choose Properties. 6. From the Wireless Network Connection Properties window, click the Wireless Networks tab. 7. In order to change the Network Name (in the Preferred Network area), remove the old WLAN/SSID and click Add&. 8. Under the Association tab, enter the Network Name (WLAN/SSID) value that you want to use for web authentication. Figure 13 provides an example: Figure 13

Note: Notice that Wired Equivalent Privacy (WEP) is enabled. You must disable WEP in order for web authentication to work. 9. Click OK at the bottom of the window in order to save the configuration. When you communicate with the WLAN, you see a beacon icon in the Preferred Network box. Figure 14 shows a successful wireless connection to web auth. The WLC has provided your wireless Windows client with an IP address. Figure 14

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Client Login Complete these steps: 1. Open a browser window and select the virtual IP address that you set for the local authentication. Be sure that you use the secure https://1.1.1.1/login.html. This step is important in code that is earlier than 3.0, but the step is not necessary in later code. In later code, any URL brings you to the web authentication page. A security alert window displays. 2. Click Yes in order to proceed. 3. When the Login window appears, enter the user name and password of the Local Net User that you created. If your login is successful, you see two browser windows. Each indicates a successful login. You can use the larger window in order to browse the Internet. Use the smaller window in order to log out when your use of the guest network is complete. Figure 15 shows a successful redirect for web authentication. Figure 15

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Figure 16 shows the Login Successful window, which displays when authentication has occurred within the ACS. Figure 16

Configure Web Passthrough in the WLC Web passthrough is a solution through which wireless users are redirected to an acceptable usage policy page without having to authenticate when they connect to the Internet. This redirection is taken care of by the WLC itself. The only requirement is to configure the WLC for web passthrough which is basically web authentication without having to enter any credentials. Note: This section of the configuration uses a Cisco 2000 Series WLC that runs version 4.0. Complete these steps in order to configure web passthrough: 1. Repeat steps 1 and 2 in theAdd a WLAN Instance section of this document. 2. For Interface Name, choose the name of the VLAN interface that you created. 3. Set the Layer 2 Security appropriately for this type of subscriber. Here, the security is set to None. 4. In the Layer 3 Security area, be sure that the Web Policy check box is checked. Then choose Passthrough and do not choose Authentication. Figure 17

Cisco − Wireless LAN Controller Web Authentication Configuration Example

5. Click Apply in order to save the new interface to the running configuration on the WLAN switch. 6. Review the WLAN Summary window to be sure that the WLAN/SSID (in this case, Web Passthrough) is enabled. The WLAN window then shows that Web Passthrough is enabled in the Security Policies column of the VLAN table. 7. Configure your Web Login Page. In order to do this, go to the WLC GUI, choose Security, and select Web Login Page from the left−side menu. 8. In the Web Login Page, enter whatever verbiage you require in the message field. This message is displayed to the users during their first attempt to use the web after they connect to this particular WLAN. When you enable Web Policy and Passthrough, it only gives the user an Accept button. See Figure 18. Figure 18

Cisco − Wireless LAN Controller Web Authentication Configuration Example

9. In order to verify web passthrough, try to access any web site thorough the Internet browser once your client is connected to this WLAN. You are redirected to this customized acceptable usage policy. Figure 19 shows an example. Note that you can customize this page with your own verbiage. Figure 19

Cisco − Wireless LAN Controller Web Authentication Configuration Example

10. Once the client verifies the policy information and clicks Accept, the client is successfully authenticated (see Figure 20). The client is now entitled to access the Internet. This procedure does not prompt for any credentials from the user for authentication. Figure 20

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Verify Internal Web Authentication Use this section to confirm that your Internal Web Authentication configuration works properly. The setup for web authentication is relatively straightforward. Remember to check simple attributes in your Windows client in your wireless network connection. Under the Wireless Networks tab, look for the Use Windows to Configure My Wireless Network setting. Be sure that this option has been checked if you use the Windows Zero configuration. If you use a different client, be sure to refer to the documentation that came with that client in order to set up web authentication. Verify that you can ping your virtual IP address. Also, verify that you have specified this WLAN/SSID on the WLC, that you have enabled the WLAN/SSID, and that it is correctly set up for web authentication.

Troubleshoot Use this section to troubleshoot your configuration. In order to troubleshoot your wireless connection on your PC, carry a Cisco Aironet 350 wireless card. Some of the earlier PCs have wireless adapters that are substandard. Be sure to carry a card that you know is reliable. Remember that this network solution if meant for use in a guest−access setting. Bear in mind that all traffic is clear text. The only encryption comes with the user name and password that the web authentication provides. One of the frequent issues that is seen with web authentication is that the redirect to the web authentication page does not work. The user does not see the web authentication window when the user opens the browser. Instead, the user has to manually enter https://1.1.1.1/login.html in order to get to the web authentication window. This has to do with the DNS lookup, which needs to work before the redirect to the web Cisco − Wireless LAN Controller Web Authentication Configuration Example

authentication page occurs. If the browser homepage on the wireless client points to a domain name, you need to be able to do nslookup successfully once the client gets associated in order for the redirect to work. Also, for a WLC that runs a version earlier than 3.2.150.10, the way that web authentication works is that when a user in that SSID tries to access the Internet, the management interface of the controller does a DNS query to see if the URL is valid. If it is, then it shows the authorization page, with the Virtual Interfaces IP address. After the user is successfully logged in, the original request is allowed to pass back to the client. This is because of Cisco bug ID CSCsc68105 ( registered customers only) . This issue is resolved in all later releases and any URL redirects to the web authentication window. So, if you see that the automatic redirect does not work it can be because the WLC runs a version earlier than 3.2.150.10. In order to resolve this issue, upgrade the WLC to the latest version.

NetPro Discussion Forums − Featured Conversations Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology. NetPro Discussion Forums − Featured Conversations for Wireless Wireless − Mobility: WLAN Radio Standards Wireless − Mobility: Security and Network Management Wireless − Mobility: Getting Started with Wireless Wireless − Mobility: General

Related Information • Cisco Wireless LAN • Cisco Wireless LAN Controller Configuration Guide, Release 3.2 − Configuring Security Solutions • Technical Support & Documentation − Cisco Systems

All contents are Copyright © 1992−2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Updated: Dec 03, 2006

Cisco − Wireless LAN Controller Web Authentication Configuration Example

Document ID: 69340

Related Documents

Web Auth Config
October 2019 1
Apache Web Server Config
November 2019 19
Config
July 2020 37
Config
June 2020 30
Config
October 2019 52