Cisco :: 2504 Web-Auth Passthrough With External Redirect
Feb 6, 2012
I have a cisco 2504 running 7.0.220.0. I am trying to configure Web Auth for External Redirect, Passthrough. I have a page created on an external web server that was taken from the Web Auth Bundle and modified. It is a simple "accept" or "reject" on a Terms and Conditions page. I have a Pre-Auth ACL configured to only allow communication to the server the T&C page resides on.
When I connect to the SSID, the page redirects to the external URL and the the URL shows up in the browser window with all the variable data as a GET on the URL line, but the page never loads. It just hangs. I can copy the the URL data, paste that in once I am on-net, and the page loads just fine.
So, something is happening when the WLC is attempting to proxy-redirect the page back to the client.
View 7 Replies
ADVERTISEMENT
May 16, 2012
I have a guest wireless network setup on a 5508 WLC using 7.2.103.0 firmware. Under my guest WLAN>security>Layer3 tab I have "layer 3 security" as "none", "web policy" as check marked, "passthrough" selected, "over-ride global config" as check marked, "web auth type" as "customized(downloaded), "login page" and "login failure page" as "login.html" selected.
I haveI have 4402 WLC's using 7.0.116.0 firmware throughout my company that anchor back to the 5508 for the guest network. The 4402 WLC have the guest network configured as WLAN>security>Layer3 tab I have "layer 3 security" as "none", "web policy" as check marked, "passthrough" selected.
I would like to disable the HTTPS for the logon screen and I am not sure what steps need to be done for this. I researched and found the command "config network web-auth secureweb disable". I set the command on the 5508 only and rebooted. When I tested I got a blank webpage with "http://1.1.1.1/fs/customwebauth/login.html?switch_url=http://1.1.1.1/login.html" in the address bar and had no way of clicking the accept button to get to the Internet.
Everything works fine again if I enter "config network web-auth secureweb enable" and reboot. Do I need to run the "config network web-auth secureweb disable" command on all the 4402 WLC's that are anchored to the 5508? What could be breaking my login.html page while using only http?
View 3 Replies
View Related
Jan 24, 2013
I have a 2504 controller and 2 2602 access points. I have managed to get them connected ok to the controller. Now I'm in the home stretch here trying to figure out how to authenticate clients to active directory 2003.I have followed a really good guide on setting up the windows 2003 CA server and have got my certificates installed ok on the controller.It looks as though I have to install the client certificate on each client laptop?? Is there a method other than client certificates with active directory?
View 26 Replies
View Related
Apr 4, 2013
We have a WLC 2504, since a few months, it was working fine, we have a guest Wlan configure with web authentication and the DHCP scope for this in the WLC. The problem today is that its no redirecting the web browser to 1.1.1.1, we try it with 3 laptops and they recieve a correct IP from the DHCP but still can not get redirect to the web authentication portal. Have the default configuration Internal (Default).
In laptops we check the firewall, dont have a proxy activate and have google DNS.. 4.2.2.2 8.8.8.8. In fact this laptops connected to this ssid before.
View 1 Replies
View Related
Apr 23, 2012
I have a 2504 and my goal is to automatically redirect a users home page when they connect to a certain internal website. Authentication isn't a real concern just now.
Is it possible to simply have a users home page redirected when they open their browser upon connecting to the SSID? All of the documents available have stated to use 802.1x / RADIUS or other fancy tools.
View 3 Replies
View Related
May 16, 2012
I would like to know whether LMS 4.1 (local server mode) has the ability to relay syslog messages received from devices to an external syslog server? If so, how do I configure such?
From reading the document and going through the LMS 4.1 GUI, it appears that it could receive and forward messages but only between LMS system (ie. multi server mode) as SSL is required.
View 1 Replies
View Related
Oct 28, 2012
Our company uses a commercial copier monitoring package called FMAudit to obtain meter readings from our clients' copiers, and it uses a feed to send the readings back to us. We have used port 90 for this purpose.Due to a recent server crash and emergency reconfiguration of our network, we have moved our FMAudit central server from in-house to a hosted service, with of course a different external IP address.
Without interfering with our other systems, is there a way to redirect JUST PORT 90 to another IP address external to our own? I don't care if it has to happen at the router or server level. We are using Server 2003 and a Cisco 887VAW.
View 2 Replies
View Related
Jan 18, 2010
I want to redirect internal web traffic (browsing) to an external web server for Web, Virus and Spyware filtering. Those externals proxies are running in 8080 port. I have one ASA firewall and a Cisco 2600 router. I was thinking in doing PBR in the router but in the next hop I can only set one IP, not an IP and a port. So how can I redirect web traffic to an external proxy listening in 8080 port?
View 11 Replies
View Related
Mar 21, 2012
I am desperate to make some kind of translation which convert an outside IP Address of our web server to its inside ip address so that requests can be routed internally to the server.
This is what we have: A wireless network with an SSID to serve visitors. We also have an in-house web server which can be accessed internally and externally. We have a ASA 5520 that protects the internal network, including the Web server, and also routes all traffic from the all visitors connected to the public SSID to the outside. The DHCP server for the wireless network for visitors is configured to give the 8.8.8.8 as dns server. The problem with that is that the www.ourwebserver.com is resolved by Google's dns server to the public IP Address of our web server! The traffic then is sent to the outside interface of the ASA 5520. The visitor who wants to access our web server cannot connect!
How can I configure the ASA to route that traffic to our web server with the public ip address to the inside ip address of the web server?
View 2 Replies
View Related
Nov 25, 2012
I am wondering if the folowing is a valid configuration:
WLC2504
AP2600
I need 3 SSID/VLAN, 1 for corporate devices, 1 for coporate smartphones, 1 for guest.
Port 1 on the 2504 should be used for management and corporate devices and connect to the corp network. Port 2 is for smartphones/guest and will be connected to a Cisco ASA 5515 that is connected to a second ISP.
Corp devices should get IP from an Windows DHCP. Smartphones/guest should get IP from the WLC. Is this possilbe? I read this in a document "To use the WLC as a dhcp, you need to enable DHCP proxy as it is required." Some how I am imagining that this will mess with the Windows DHCP. Is it better to use the ASA as DHCP for smartphones/guest?
View 4 Replies
View Related
Jul 4, 2012
I have Cisco WLC 2504.I was configured one wlan with external web-authentication.External web server is apache on freebsd.When user connect to wlan and open web browser, wlc redirects client to external web page, where client must input hist credentials.When client click "submit" button on external web auth page, wlc initiates RADIUS request to radius server.Radius server(freeradius) is on the same server, where apache running.
sometimes, when client enter credentials on external page and click "submit" button, wlc suddenly redirect client on internal default auth page.
View 14 Replies
View Related
Mar 24, 2013
I'm planning to use these with a 2504 controller. However, I cannot find a straight answer on whether or not the External Antennas provide better coverage than the Integrated Antennas? These will be wall mounted in a combo office/warehouse environment. Also, I cannot figure out if the External Antennas are even included with the 1602E (AIR-CAP1602E-A-K9)? or what if any power adapter/ injector is included with the AP's?
View 14 Replies
View Related
Nov 20, 2012
i have 2 ssid with the same comfiguration (diff only in name) in one ipsec ssid vpn (l2tp over ipsec with natt ) works fine, in another after phase 2 is completed no traffic is forwarded and vpn session is dropped. There are no access lists on equipment.
I found in documentation that need to activate L3 security and set it to vpn pass-through, but in drop-down menu only one item "none". What is the reason to drop ipsec traffic ?
View 4 Replies
View Related
May 9, 2013
I have a Meraki Firewall that sits behind my Cisco RV082. The Meraki is setup to run a VPN connection with my server but I am having problems passing the VPN traffic through properly.
I have 2 Uverse Internet Connections that the RV082 using load balancing so that they are shared. I have 10 static IP's.
I am trying to come in on one of my static IP addresses throught the Cisco RV082 to the Meraki and after doing a capture on the meraki it appears that it is starting to receive data to intiate the VPN connection but when it sends data back to the VPN client machine it never makes it.
View 1 Replies
View Related
Aug 22, 2011
I have a DIR-655_RevB updated with the latest firmware 2.03NA. I have two VPN devices in my house trying to get to my corporate office: a VPN phone and my laptop with a VPN client, both use IPSec. Either device has no problem making a solid VPN connection separate from each other. Meaning that when my laptop is not connected, I can connect the VPN phone with no problem. And when the VPN phone is disconnected, the laptop also has no problem making a solid and stable VPN connection. So I know the router is configured correctly to let thru VPN traffic for either device. i.e. IPSec is enabled, UDP/TCP Endpoint Filtering are both set to Endpoint Independent (and I've tried every other combo), SPI is disabled.
The problem is that I need to have both devices connected simultaneously, which this router is supposed to handle. If I have the VPN phone connected first, then when I launch the laptop VPN client, the VPN phone gets disconnected. I'm assuming that at this point, all VPN traffic is being tunneled back to the laptop. I cannot re-establish the VPN phone connection until I disconnect the laptop client, at which point the VPN phone "automatically" reconnects (meaning I don't have to reboot it, the VPN traffic just somehoe gets redirected back to this device)
View 7 Replies
View Related
Jan 13, 2012
In a cisco firewall 5520 how could you take a public wan connection and pass it to another firewall behind the 5520 without using nat. How could you put a single port on the 5520 into transparent or passthrough much like you can on a broadband modem?
View 3 Replies
View Related
Apr 10, 2012
How to enable PPTP passthrough on Cisco ASA 5505?I have a RRAS server inside and the client is trying to connect from outside.
View 1 Replies
View Related
Feb 26, 2012
I'm having some issues with Web-Passthrough, I'm using two 4404-50 controllers. Clients get IP addresses well. I'm using the controllers internal DHCP Servers. Controllers can reach DNS public IP Addresses (from management and guest vlan), the issue is that only very few clients are able to get displayed the Web-Passthrough page, the rest of the clients never get the page.
Version 7.0.98.0
The controllers also work as anchor controllers for two more foreign controllers.
View 10 Replies
View Related
Jan 24, 2013
I have a pair of ACE 4710 and I think I have all the failover configured correctly and it all appears to be working. My question is regarding setting QOS on the physical interfaces that are part of my port channel. I have qos trust cos enabled on all the interfaces in my port channel. These interfaces are connected to a 3750 swith. Do I need to configure QOS on the 3750 to allow the COS bit to pass through my 3750 to my peer?
View 3 Replies
View Related
Feb 10, 2013
I add a new Cisco ASA 5505 as firewall in of company network. I found the PPTP authentication did not get through to internal Microsoft Server.
ASA Version 8.4(3)!names!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1switchport access vlan 2!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip
[Code]....
View 4 Replies
View Related
Mar 28, 2012
I am working on IPSec Passthrough on an ASA 5520, with version 8.3, and ASDM 6.3. Currently I have a requirement for users in my internal network (10.10.249.128 / 25) to be able to connect to external IPSec VPN servers.
So I created a network object with 10.10.249.128 / 25, and used dynamic PAT to translate the source ip address to the external internet facing outside interface:
I then added the following rules on the inside-in ACL: However troubleshooting shows that isakmp is passing through the firewall, but esp and ah is not.
For isakmp:
For ESP:Seems like the nat rule is drawing my ESP traffic,
View 1 Replies
View Related
Aug 2, 2011
I've download a login.html into the controller successfully, but when I preview the page there isn't an accept button. Do I need to create the accept button with the html file or is there some place I need to enable on the controller itself. After download the .tar file I reboot the controller but no luck. I also create a java script button redirect but it didn't redirect to where I needed to go. It just stuck on the splash page.
View 3 Replies
View Related
Jan 31, 2012
I'm trying to find a reference for how many IPSEC tunnels the WRVS4400N can passthrough.
View 0 Replies
View Related
Sep 22, 2011
I'm trying to access a machine via pptp through a new WAG320n without any success. PPTP Passthrough is enabled i've opened port 1723 TCP pointing to my machines ip-adress but i can't get the connection working.
View 9 Replies
View Related
Mar 18, 2013
I am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue.
View 4 Replies
View Related
Jul 7, 2011
I just bought this router recently found out its a strong good router but i got shocked that there is no PPPOE passthrough option on VPN passthought i am disappointed because this option is soo important to me and i just spent money on nothing, is WAG160N doesnt support PPPOE passthrough ??? and if it does how can i do it .
View 9 Replies
View Related
Sep 22, 2011
I have e3000 but in VPN Passthrough I don't have ( pppoe passthrough ). Just I have is ipsec + pptp + l2tp only. How could I add ppoe passthrough in my e3000.
View 2 Replies
View Related
Mar 19, 2013
Region : UnitedStates
Model : TL-MR3020
Hardware Version : V1
Firmware Version : latest
ISP :
I have problem to get pptp working. I setup pptp VPN server on my home router and configured pptp dialup on my laptop. If my laptop connect to internet directly, I am able to connect to home router via PPTP VPN. However, if I connect TL-MR3020 to internet(wired) and then connect my laptop to TL-MR3020 wirelessly, I can browse internet without problem. The problem is I cannot connect to home router via PPTP VPN any more. I believe the problem is on TL-MR3020.
View 4 Replies
View Related
Sep 17, 2012
I am currently trying to set up my old Dlink DIR-655 Router as an Access Point in my dorm room. We are only given one ethernet port in the bedroom and dragging a 50ft ethernet cable between the bedroom and the common area in the suite is no fun. I have tried to far unsuccessfully. I think the problem is related to the 802.1x authentication that is used on the network. How to get it to work? So far I have disabled DHCP, UPnP and then plugged the first client LAN port into the ethernet port that is provided. I can connect to the router and access the admin panel but there is no connection to the internet. It also did not work plugging my computer into a second LAN port instead of connecting wirelessly.
View 1 Replies
View Related
Jan 17, 2012
I have switch cisco 2960 ,When you boot it displays the message that is unknown for me.
View 4 Replies
View Related
Feb 14, 2012
Any setup passthrough mode of the Motorola NVG510 router ATT makes you use with U-Verse to a CISCO 877 or similar, with a block of public addresses they want to use? It is So frustrating that I have to deal with this NVG510. It is NOT a very business class router... I am assuming that I need to put it into "pass through" mode for the Cisco to be able to manage what happens with my assigned public addresses. If there is another way, let me know!
Here's what I plan to do: I've read the "related to" post above, about putting the NVG510 into pass through mode, and I plan to do this as it discusses. I'll assume that works for now. But it will assign the router's WAN IP Address to the router's "outside" interface, not one of my private IP addresses. On the Cisco side, here is what I would do: vlan1 interface is my "inside" private network. Create vlan2 interface using dhcp to get IP/gateway from the nvg510, or set it up manually, whichever works... This interface will be the "outside" NAT interface. But this interface's address will be the router's WAN address, NOT the first of my 5 public assigned usable addresses...
Here is how it will be setup:
interface FastEthernet0
switchport access vlan 2
[code]...
Then - make it my default NAT interface: ip Nat inside source list 110 interface Vlan2 overload
If I stop there... I assume I could then NAT ports from my different private addresses to the various servers in my office. But the router won't have an interface with that first assigned-to-me public address. The reason I ask is that we have a site-to-site crypto- map defined, and the interface it is defined on determines the IP Address it will communicate from. I wanted this to be my own assigned public address, not the WAN address of the router... Not sure how I would do that though... Same with the default NAT assigned to vlan2 - by default machine in access list 110 will get to the internet with the WAN address of the nvg510, not my private address.
Can I create interface vlan3, somehow linked to vlan2, give it the first private address in my block, and then move the cypto-map to this interface, and also change the default Nat to vlan3 now instead of vlan2? ip nat inside source list 110 interface Vlan3 overload
How would I go about doing such a thing? I am not a Cisco expert, I understand just the basics... This is a bit more complicated than I can figure out. Or maybe it is not possible? Will I have to, for any computer that needs unsolicited traffic through the internet to use one of my assigned public addresses, to setup a one-to-one NAT for that address to that internal address? And everyone else is stuck using the WAN address. If this is the case, it is not right... What were they thinking when they designed this router and forced us to use it as a business class U Verse customer? This should NOT be so difficult/complicated.
View 1 Replies
View Related
Aug 10, 2012
We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.)
View 7 Replies
View Related
Sep 24, 2011
I have setup a Cisco Aironet 1040 to connect to our Radius server which I have also configured.
I can successfully connect up any Iphone or Ipad but I cannot get any laptop to connect.
I have attached the logs showing the Iphone Successfully logging in and the Laptop Failing. Every single failure in the Event log for NPS comes up with
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: scottd
Account Domain: AMSLAN
[Code].....
View 12 Replies
View Related
