- Preface
-
- Cisco Wireless Solution Overview
- Getting Started
- Managing Licenses
- Configuring 802.11 Bands
- Configuring 802.11 Parameters
- Configuring DHCP Proxy
- Configuring SNMP
- Configuring Aggressive Load Balancing
- Configuring Fast SSID Changing
- Configuring 802.3 Bridging
- Configuring Multicast
- Configuring Client Roaming
- Configuring IP-MAC Address Binding
- Configuring Quality of Service
- Configuring Application Visibility and Control
- Configuring Media and EDCA Parameters
- Configuring the Cisco Discovery Protocol
- Configuring Authentication for the Controller and NTP/SNTP Server
- Configuring RFID Tag Tracking
- Resetting the Controller to Default Settings
- Managing Controller Software and Configurations
- Managing User Accounts
- Managing Web Authentication
- Configuring Wired Guest Access
- Troubleshooting
-
- Overview of Ports and Interfaces
- Configuring the Management Interface
- Configuring the AP-Manager Interface
- Configuring Virtual Interfaces
- Configuring Service-Port Interfaces
- Configuring Dynamic Interfaces
- Configuring Ports
- Configuring Link Aggregation
- Configuring Multiple AP-Manager Interfaces
- Configuring VLAN Select
- Configuring Interface Groups
- Configuring Multicast Optimization
-
- Cisco Unified Wireless Network Solution Security
- Configuring RADIUS
- Configuring TACACS+
- Configuring Maximum Local Database Entries
- Configuring Local Network Users on the Controller
- Configuring Password Policies
- Configuring LDAP
- Configuring Local EAP
- Configuring the System for SpectraLink NetLink Telephones
- Configuring RADIUS NAC Support
- Using Management Over Wireless
- Using Dynamic Interfaces for Management
- Configuring DHCP Option 82
- Configuring and Applying Access Control Lists
- Configuring Management Frame Protection
- Configuring Client Exclusion Policies
- Configuring Identity Networking
- Configuring AAA Override
- Managing Rogue Devices
- Classifying Rogue Access Points
- Configuring Cisco TrustSec SXP
- Configuring Cisco Intrusion Detection System
- Configuring IDS Signatures
- Configuring wIPS
- Configuring the Wi-Fi Direct Client Policy
- Configuring Web Auth Proxy
- Detecting Active Exploits
-
- Overview
- Configuring WLANs
- Setting the Client Count per WLAN
- Configuring DHCP
- Configuring DHCP Scopes
- Configuring MAC Filtering for WLANs
- Configuring Local MAC Filters
- Configuring Timeouts
- Configuring the DTIM Period
- Configuring Peer-to-Peer Blocking
- Configuring Layer2 Security
- Configuring a WLAN for Static WEP
- Configuring Sticky Key Caching
- Configuring CKIP
- Configuring Layer 3 Security
- Configuring Captive Bypassing
- Configuring a Fallback Policy with MAC Filtering and Web Authentication
- Assigning a QoS Profile to a WLAN
- Configuring QoS Enhanced BSS
- Configuring Media Session Snooping and Reporting
- Configuring Key Telephone System-Based CAC
- Configuring Reanchoring of Roaming Voice Clients
- Configuring Seamless IPv6 Mobility
- Configuring Cisco Client Extensions
- Configuring Remote LANs
- Configuring AP Groups
- Configuring RF Profiles
- Configuring Web Redirect with 8021.X Authentication
- Configuring NAC Out-of-Band Integration
- Configuring Passive Clients
- Configuring Client Profiling
- Configuring Per-WLAN RADIUS Source Support
- Configuring Mobile Concierge
- Configuring Assisted Roaming
-
- Using Access Point Communication Protocols
- Searching for Access Points
- Searching for Access Point Radios
- Configuring Global Credentials for Access Points
- Configuring Authentication for Access Points
- Configuring Embedded Access Points
- Converting Autonomous Access Points to Lightweight Mode
- Configuring Packet Capture
- Configuring OfficeExtend Access Points
- Using Cisco Workgroup Bridges
- Using Non-Cisco Workgroup Bridges
- Configuring Backup Controllers
- High Availability
- Configuring Failover Priority for Access Points
- Configuring AP Retransmission Interval and Retry Count
- Country Codes
- Optimizing RFID Tracking on Access Points
- Configuring Probe Request Forwarding
- Retrieving the Unique Device Identifier on Controllers and Access Points
- Performing a Link Test
- Configuring Link Latency
- Configuring the TCP MSS
- Configuring Power Over Ethernet
- Viewing Clients
- Configuring LED States for Access Points
- Configuring Access Points with Dual-Band Radios
-
- Mobility Groups
- Viewing Mobility Group Statistics
- Configuring Auto-Anchor Mobility
- Validating WLAN Mobility Security Values
- Using Symmetric Mobility Tunneling
- Running Mobility Ping Tests
- Configuring Dynamic Anchoring for Clients with Static IP Addresses
- Configuring Foreign Mappings
- Configuring Proxy Mobile IPv6
- Index
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
- Updated:
- May 22, 2017
Chapter: Configuring Layer 3 Security
Configuring Layer 3 Security
Configuring Layer 3 Security Using Web Authentication
Prerequisites for Configuring Web Authentication on a WLAN
-
To initiate HTTP/HTTPS web authentication redirection, use HTTP URL or HTTPS URL.
-
If the CPU ACLs are configured to block HTTP / HTTPS traffic, after the successful web login authentication, there could be a failure in the redirection page.
-
Before enabling web authentication, make sure that all proxy servers are configured for ports other than port 53.
-
When you enable web authentication for a WLAN, a message appears indicating that the controller forwards DNS traffic to and from wireless clients prior to authentication. We recommend that you have a firewall or intrusion detection system (IDS) behind your guest VLAN to regulate DNS traffic and to prevent and detect any DNS tunneling attacks.
-
If the web authentication is enabled on the WLAN and you also have the CPU ACL rules, the client-based web authentication rules take higher precedence as long as the client is unauthenticated (in the webAuth_Reqd state). Once the client goes to the RUN state, the CPU ACL rules get applied. Therefore, if the CPU ACL rules are enabled in the controller, an allow rule for the virtual interface IP is required (in any direction) with the following conditions:
-
The allow rule for the virtual IP should be for TCP protocol and port 80 (if secureweb is disabled) or port 443 (if secureweb is enabled). This process is required to allow client’s access to the virtual interface IP address, post successful authentication when the CPU ACL rules are in place.
Restrictions for Configuring Web Authentication on a WLAN
- Web authentication is supported only with these Layer 2 security policies: open authentication, open authentication+WEP, and WPA-PSK. With the 7.4 release, web authentication is supported for use with 802.1X.
- Special charecters are not supported in the username field for web-authentication.
When clients connect to a WebAuth SSID and a preauthorization ACL configured to allow VPN users, the clients will get disconnected from the SSID every few minutes. Webauth SSIDs must not connect without authenticating on the web page.
You can select the following identity stores to authenticate web-auth user, under WLANs > Security > AAA servers > Authentication priority order for web-auth user section: If multiple identity stores are selected, then the controller checks each identity store in the list, in the order specified, from top to bottom, until authentication for the user succeeds. The authentication fails, if the controller reaches the end of the list and user remains un-authenticated in any of the identity stores.
Information About Web Authentication
WLANs can use web authentication only if VPN passthrough is not enabled on the controller. Web authentication is simple to set up and use and can be used with SSL to improve the overall security of the WLAN.
Configuring Web Authentication
Feedback