WLC 5760/3850 Custom WebAuth with Local Authentication Configuration Example

Available Languages

Download Options

  • PDF     (201.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (159.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (181.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 6, 2014
Document ID:117728

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to configure a custom WebAuth with local authentication on a Wireless LAN Controller (WLC).

Prerequisites

Requirements

Before you configure and customize WebAuth, ensure that your PC:

  • Has an IP address on an open Service Set Identifier (SSID)
  • Can ping the default gateway
  • Can identify and locate the Domain Name Server (DNS) (ipconfig/all)
  • Can resolve names (with nslookup)
  • Can access the Internet

Components Used

The information in this document is based on these software and hardware versions:

  • A 5760 WLC that runs 3.3 code
  • Cisco Aironet 3600 Series Lightweight Access Point
  • Microsoft Windows 7 Native Wireless Supplicant

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

Network Diagram

Authentication, Authorization, and Accounting (AAA)

Here is the configuration for AAA. This configures the authentication and the authorization profiles in such a way that the clients who connect are authenticated to the local WLC database.

aaa new-model
aaa authentication login local_webauth local
aaa authorization network default local
aaa authorization credential-download default local

Parameter-Map

Here is the configuration for the Parameter-Map. This section provides insight on the how to configure the Virtual IP address on the WLC and how to set the parameter type, which helps to specify the redirect URL, Login Page, Logout page, and Failure page. You must make sure that the flash has these files.

parameter-map type webauth global 
virtual-ip ipv4 1.1.1.1 

parameter-map type webauth custom
type webauth
redirect on-success http://www.cisco.com
banner text ^C CC global ip for redirect ^C
 custom-page login device flash:webauth_login.html
 custom-page success device flash:webauth_success.html
 custom-page failure device flash:webauth_failure.html
 custom-page login expired device flash:webauth_expired.html

Wireless LAN (WLAN) Configuration

Here is the configuration for WLAN. The WLAN is configured for Layer 3 security. This configuration maps the authentication list to Local_webauth and ensures that the authentication is handled by the local net users. This calls the AAA configuration that is in the initial step.

wlan webauth 1 webauth

client vlan Vlanx
 no security wpa
 no security wpa akm dot1x 

no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list local_webauth 

security web-auth parameter-map custom

session-timeout 1800
no shutdown

Global Configuration

Use this for the global configuration. Ensure that you have HTTP/HTTPS and IP device tracking enabled. If you do not enable HTTP/HTTPS, you do not get the web page.

ip http server
ip device tracking

Create Local Users

Use this in order to create local users.

username <username> password 0 <password>

FTP Configuration for File Transfer

Use this for the FTP configuration for file transfer.

ip ftp username <username>
ip ftp password <password>

Upload to Flash

Use this in order to upload custom HTML files to the Flash: with command:

5760# copy ftp://x.x.x.x/webauth_login.html flash:

Here is an example of Flash content:

w-5760-2#dir flash:
Directory of flash:/
64649  -rw-        1164   Oct 7 2013 04:36:23 +00:00  webauth_failure.html
64654  -rw-        2047   Oct 7 2013 13:32:38 +00:00  webauth_login.html
64655  -rw-        1208   Oct 7 2013 04:34:12 +00:00  webauth_success.html
64656  -rw-         900   Oct 7 2013 04:35:00 +00:00  webauth_expired.html
64657  -rw-       96894   Oct 7 2013 05:05:09 +00:00  web_auth_logo.png
64658  -rw-       23037   Oct 7 2013 13:17:58 +00:00  web_auth_cisco.png
64660  -rw-        2586   Oct 7 2013 13:31:27 +00:00  web_auth_aup.html

Sample Webauth_login HTML

If this needs any modification or customization, you must involve a developer who knows HTML, which is not covered by the Cisco Technial Assistance Center.

<HTML><HEAD>
<TITLE>Authentication Proxy Login Page</TITLE>
<script type="text/javascript">
var pxypromptwindow1;
var pxysubmitted = false;
function submitreload() {
    if (pxysubmitted == false) {
        pxypromptwindow1=window.open('', 'pxywindow1', 'resizable=no,width=350,height=350,scrollbars=yes');
        pxysubmitted = true;
        return true;
    } else {
        alert("This page can not be submitted twice.");
        return false;
    }
}
</script>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
    background-color: #ffffff;
}
</style>
</HEAD>
<BODY>
<H1><img src="http://192.168.2.91/flash:web_auth_logo.png" width="75" height="50" alt="Cisco Logo" longdesc="http://www.cisco.com"></H1>
<center>
<H2> Wireless Guest Access Web Authentication</H2>
<center>
<iframe src="http://192.168.2.91/flash:web_auth_aup.html" width="950" height="250" scrolling="auto"></iframe><BR><BR>

<FORM method=post action="/" target="pxywindow1">
  Username: <input type=text name=uname><BR><BR>
  Password: <input type=password name=pwd><BR><BR>
  <input type=submit name=ok value=OK   onClick="return submitreload();">
</FORM><noscript>
<BR>
<UL>
  <H2><FONT COLOR="red">Warning!</FONT></H2>
  <p>JavaScript should be enabled in your Web browser 
     for secure authentication</p>
  <LI>Follow the instructions of your Web browser to enable 
      JavaScript if you would like to have JavaScript enabled 
      for secure authentication</LI>
  <BR>OR<BR><BR>
  <LI> Follow these steps if you want to keep JavaScript
       disabled or if your browser does not support JavaScript
    <OL><BR>
      <LI> Close this Web brower window</LI>
      <LI> Click on Reload button of the original browser window</LI>
    </OL></LI>
</UL>
</noscript>
<center>
<p>&nbsp;</p>
<img src="http://192.168.2.91/flash:web_auth_cisco.png" alt="Cisco Powered" width="215" height="136" align="middle" longdesc="http://www.cisco.com">
</center>
</BODY></HTML>

Screenshots

Here are some screenshots from the client:

Client connects to WLAN and is automatically redirected:

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

TAC Authored

Contributed by Cisco Engineers

  • Alexander De Menezes
    Cisco TAC Engineer
  • Surendra BG
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products