Cisco Wireless LAN Controller Configuration Guide, Release 7.4
Configuring Web Auth Proxy
Downloads: This chapterpdf (PDF - 1.18MB) The complete bookPDF (PDF - 17.76MB) | The complete bookePub (ePub - 4.37MB) | Feedback

Configuring Web Auth Proxy

Configuring Web Auth Proxy

Information About the Web Authentication Proxy

This feature enables clients that have manual web proxy enabled in the browser to facilitate authentication with the controller. If the user's browser is configured with manual proxy settings with a configured port number as 8080 or 3128 and if the client requests any URL, the controller responds with a web page prompting the user to change the Internet proxy settings to automatically detect the proxy settings so that the browser’s manual proxy settings information does not get lost. After enabling this settings, the user can get access to the network through the web authentication policy. This functionality is given for port 8080 and 3128 because these are the most commonly used ports for the web proxy server.


Note


The web authentication proxy redirect ports are not blocked through CPU ACL. If a CPU ACL is configured to block the port 8080, 3128, and one random port as part of web authentication proxy configuration, those ports are not blocked because the webauth rules take higher precedence than the CPU ACL rules unless the client is in the webauth_req state.


A web browser has the following three types of Internet settings that you can configure:

  • Auto detect
  • System Proxy
  • Manual

In a manual proxy server configuration, the browser uses the IP address of a proxy server and a port. If this configuration is enabled on the browser, the wireless client communicates with the IP address of the destination proxy server on the configured port. In a web authentication scenario, the controller does not listen to such proxy ports and the client is not able to establish a TCP connection with the controller. The user is unable to get any login page to authentication and get access to the network.

When a wireless client enters a web-authenticated WLAN, the client tries to access a URL. If a manual proxy configuration is configured on the client's browser, all the web traffic going out from the client will be destined to the proxy IP and port configured on the browser.

  • A TCP connection is established between the client and the proxy server IP address that the controller proxies for.
  • The client processes the DHCP response and obtains a JavaScript file from the controller. The script disables all proxy configurations on the client for that session.

    Note


    For external clients, the controller sends the login page as is (with or without JavaScipt).


  • Any requests that bypass the proxy configuration. The controller can then perform web-redirection, login, and authentication.
  • When the client goes out of the network, and then back into its own network, a DHCP refresh occurs and the client continues to use the old proxy configuration configured on the browser.
  • If the external DHCP server is used with webauth proxy, then DHCP option 252 must be configured on the DHCP server for that scope. The value of option 252 will have the format http://<virtual ip>/proxy.js. No extra configuration is needed for internal DHCP servers.

    Note


    When you configure FIPS mode with secure web authentication, we recommend that you use Mozilla Firefox as your browser.


Configuring the Web Authentication Proxy (GUI)


    Step 1   Choose Controller > General
    Step 2   From the WebAuth Proxy Redirection Mode drop-down list, choose Enabled or Disabled.
    Step 3   In the WebAuth Proxy Redirection Port text box, enter the port number of the web auth proxy.

    This text box consists of the port numbers on which the controller listens to for web authentication proxy redirection. By default, the three ports 80, 8080, and 3128 are assumed. If you configured the web authentication redirection port to any port other than these values, you must specify that value.

    Step 4   Click Apply.

    Configuring the Web Authentication Proxy (CLI)

    • Enable web authentication proxy redirection by entering this command: config network web-auth proxy-redirect {enable | disable}

    • Configure the secure web (https) authentication for clients by entering this command: config network web-auth secureweb {enable | disable}

      The default secure web (https) authentication for clients is enabled.

      Note


      If you configure to disallow secure web (https) authentication for clients using the config network web-auth secureweb disable command, then you must reboot the Cisco WLC to implement the change.

    • Set the web authentication port number by entering this command: config network web-auth port port-number

      This parameter specifies the port numbers on which the controller listens to for web authentication proxy redirection. By default, the three ports 80, 8080, and 3128 are assumed. If you configured the web authentication redirection port to any port other than these values, you must specify that value.

    • See the current status of the web authentication proxy configuration by entering one of the following commands:

      • show network summary
      • show running-config