In this post we will see how to implement and configure WLC to support internal Webauth.
Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except DHCP and DNS -related packets) from a particular client until that client has correctly supplied a valid username and password.
Web authentication is mostly used to deploy a guest-access network. We must remember that web authentication does not provide data encryption. Webauth is an authentication method without encryption.
Web authentication can be performed using:
Default login window on the WLC
Modification of the default login window on the WLC
A customised login window that we download to the controller
In this post we will only see the starting 3 ways because I don’t have any external webserver.
Let’s start with Configuration of WLC. We will follow these steps:
Create a dynamic interface and fill all the required details.
Create a WLAN and apply the settings.
Configure WLC for Webauth (Internal).
Create local user for testing.
- Create a dynamic interface and fill all the required details.
From WLC GUI, Choose Controller > Interface > New and fill the details:
Interface Name: webauth
Vlan Id: 10
- Click on created Interface and then add the following details:
Netmask—255.255.255.0 (24 bits)
Primary DHCP Server—192.168.20.3(WLC Management IP for internal DHCP server)
Click Apply to save the changes.
3. Create a WLAN and apply the settings:
From the WLC GUI, click WLAN in the menu at the top, and click New on the upper right side. This page will appear. Fill Profile name and SSID.
A new WLANs > Edit window appears.
Check the status box to enable the WLAN.
From the Interface menu, select the name of the VLAN interface (webauth) that we created above.
Check the Broadcast SSID box
Click on Security Tab
Click Layer 2 security and set to None.
Click the Layer 3 tab
Check the Web Policy box and choose the Authentication option.
Then click Apply from upper right side to save changes.
4. Configure WLC for Webauth(Internal).
Internal web authentication is the by default web authentication type on WLCs. NO need to change the configuration.
5. Create local user for testing:
We can use 3 ways:
Local authentication, RADIUS server, LDAP server
In this post we will tests with Local authentication.
WLC GUI, choose Security > AAA > Local Net Users > New
Enter the username, password and WLAN profile from drop down box.
Assign to the correct WLAN Profile webauth
Here we created 2 users:
Username: Sandeep, Password: webauth123
Username: Sandeep1, Password: webauth12345
On Laptop Connect to Webauth SSID
7. Then a new browser will automatically open or we have to manually enter virtual interface IP from WLC : https://220.127.116.11/login.html. A Login window will appears
***In my WLC I have Virtual interface IP as 18.104.22.168
8. Enter the username and password of the Local Net User that we created:
Username: sandeep, Password: webauth123
9. Modification of the default login window on the WLC
- Login to WLC and modify the default login window by choosing Security > Web Auth > Web Login Page and click on Apply to save it. I changed the headline and message content.
2. Now connect to webauth WLAN. Login page will appear like this.
3. Enter the username and password.
10. A customized login window that we download to the controller
To download a customized login page, first start a TFTP/FTP server and put the login page in their root directory then login to WLC GUI, click on Commands and the details.
- Change the WLAN setting.
WLAN > click on WLAN ID then Security > Layer3,
Select the Over-ride Global Config box
Choose Customized (Downloaded) webauth type from drop down box and select the login and login failure page then click apply.
2. Enter the username/Password and click on I agree with Policy Above.
Here is the complete Web Authentication Process(How it works: )