Web Authentication Proxy Configuration Example

Introduction

This document describes how to configure web authentication in order to work with a proxy setup.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Wireless LAN controller basic configuration
• Web authentication security

Components Used

The information in this document is based on a Cisco Wireless LAN Controller, Version 7.0 and later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

Network administrators who have a proxy server on their network send web traffic first to the proxy server, which then relays the traffic to the internet. Connections between the client and proxy server can use a TCP port other than port 80 for communication. This port is usually TCP port 3128 or 8080. By default, web authentication only listens on port 80. Thus, when an HTTP GET leaves the computer, it is sent to the proxy port but is dropped by the controller.

This section describes how to configure web authentication in order to work with a proxy setup:

1. Configure the Cisco Wireless LAN Controller (WLC) in order to listen on the proxy port.
2. Configure the proxy auto-configuration (PAC) file in order to return the virtual IP address direct.
3. Create a preauthentication access control list (ACL) in order to allow the client to download the PAC file before web authentication.

As a quick fix, you can configure the web browser manually in order to return 192.0.2.1.

Details on each of these processes are in the next subsections.

Configure the WLC

This procedure describes how to change the port the controller listens on to the port the proxy server is listening on.

1. Navigate to the Controller > General page.
   
   
2. In the WebAuth Proxy Redirection Port field, enter the port that you want the WLC to listen on for client redirect.
   
   
3. Choose Disabled or Enabled from the WebAuth Proxy Redirection Mode drop-down list:
   
   
   1. If you choose Disabled, clients are presented the normal web authentication page for passthrough or authentication. So, if you use a proxy, you need to configure all client browsers to not use the proxy for 192.0.2.1 (or other virtual IP address the WLC uses). See Configure Web Browser.
      
      
   2. If you choose Enabled, the WLC listens on ports 80, 8080, and 3128 by default, so you do not have to enter those ports in the WebAuth Proxy Redirection Port text field. If a client sends an HTTP GET on these ports, they see a screen that asks them to change their proxy settings to automatic.
      
      
4. Save the configuration.
   
   
5. Reboot the controller.

In summary, enter a port number in WebAuth Proxy Redirection Port in order to define the port the WLC listens on. When redirection mode is Enabled, it redirects the client to the proxy setting screen and expects to push dynamically a Web Proxy Auto-Discovery (WPAD) or PAC file for automatic proxy configuration. When Disabled, the client is redirected to the normal web authentication page.

Configure the PAC File

The virtual IP address of the WLC needs to be returned 'direct' in order for the Web Auth to properly authenticate users. Direct means that the proxy server does not proxy the request, and the client has permissions to directly reach out to the IP address. This is usually configured on the proxy server in the WPAD or PAC file by the proxy server administrator. This is an example configuration for a PAC file:

function FindProxyForURL(url, host) {
      // our local URLs from the domains below example.com don't need a proxy:
      if (shExpMatch(host, "*.example.com"))
      if (shExpMatch(host, "192.0.2.1"))   <-- (Line states return 1.1.1 directly)
      {
         return "DIRECT";
      }

      // URLs within this network are accessed through
      // port 8080 on fastproxy.example.com:
      if (isInNet(host, "10.0.0.0",  "255.255.248.0"))
      {
         return "PROXY fastproxy.example.com:8080";
      }

      // All other requests go through port 8080 of proxy.example.com.
      // should that fail to respond, go directly to the WWW:
      return "PROXY proxy.example.com:8080; DIRECT";

Create Preauthentication ACL

Place a preauthentication ACL on the web authentication service set identifier (SSID) so that wireless clients can download the PAC file before the clients log into Web Auth. The preauthentication ACL needs to allow access only to the port the PAC file is on. Access to the proxy port allows clients to reach the Internet without web authentication.

1. Navigate to Security > Access Control List in order to create an ACL on the controller.
2. Create rules to permit the traffic on the PAC download port to the proxy in both directions.
   
   
   
   

   Note:Do not allow the proxy HTTP port.

3. In the WLAN configuration on the controller, do not forget to choose the ACL you just created as a Preauthentication ACL.
   
   

Quick Fix: Configure Web Browser

This procedure describes how to manually configure an exception so that a client web browser reaches out directly to 192.0.2.1.

1. In Internet Explorer, navigate to Tools > Internet options.
   
   
2. Click the Connections tab, then the LAN Settings button.
   
   
3. In the Proxy server area, check the Use a proxy server for your LAN check box, and enter the (IP) Address and Port the server listens on.
   
   
   
   
4. Click Advanced and enter the virtual IP address of the WLC in the Exceptions area.
   

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.