WLC L3 Security Web Authentication

In this post we will see how to implement and configure WLC to support internal Webauth.
Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except DHCP and DNS -related packets) from a particular client until that client has correctly supplied a valid username and password.
Web authentication is mostly used to deploy a guest-access network. We must remember that web authentication does not provide data encryption. Webauth is an authentication method without encryption.

Web authentication can be performed using:
Default login window on the WLC
Modification of the default login window on the WLC
A customised login window that we download to the controller

In this post we will only see the starting 3 ways because I don’t have any external webserver.

Let’s start with Configuration of WLC. We will follow these steps:

Create a dynamic interface and fill all the required details.
Create a WLAN and apply the settings.
Configure WLC for Webauth (Internal).
Create local user for testing.

  1. Create a dynamic interface and fill all the required details.
    From WLC GUI, Choose Controller > Interface > New and fill the details:

    Interface Name: webauth
    Vlan Id: 10

    Click Apply
  2. Click on created Interface and then add the following details:
    Vlan Identifier-10
    IP Address—
    Netmask— (24 bits)
    Primary DHCP Server— Management IP for internal DHCP server)

    Click Apply

Click Apply to save the changes.

3. Create a WLAN and apply the settings:
From the WLC GUI, click WLAN in the menu at the top, and click New on the upper right side. This page will appear. Fill Profile name and SSID.

Click Apply.

A new WLANs > Edit window appears.
Check the status box to enable the WLAN.
From the Interface menu, select the name of the VLAN interface (webauth) that we created above.
Check the Broadcast SSID box

Click on Security Tab
Click Layer 2 security and set to None.

Click the Layer 3 tab
Check the Web Policy box and choose the Authentication option.

Then click Apply from upper right side to save changes.

4. Configure WLC for Webauth(Internal).
Internal web authentication is the by default web authentication type on WLCs. NO need to change the configuration.

5. Create local user for testing:
We can use 3 ways:
Local authentication, RADIUS server, LDAP server
In this post we will tests with Local authentication.

WLC GUI, choose Security > AAA > Local Net Users > New
Enter the username, password and WLAN profile from drop down box.

Assign to the correct WLAN Profile webauth

Click Apply
Here we created 2 users:
Username: Sandeep, Password: webauth123
Username: Sandeep1, Password: webauth12345

6. Verification
On Laptop Connect to Webauth SSID

7. Then a new browser will automatically open or we have to manually enter virtual interface IP from WLC : A Login window will appears
***In my WLC I have Virtual interface IP as

8. Enter the username and password of the Local Net User that we created:
Username: sandeep, Password: webauth123

9. Modification of the default login window on the WLC

  1. Login to WLC and modify the default login window by choosing Security > Web Auth > Web Login Page and click on Apply to save it. I changed the headline and message content.

2. Now connect to webauth WLAN. Login page will appear like this.

3. Enter the username and password.

10. A customized login window that we download to the controller

To download a customized login page, first start a TFTP/FTP server and put the login page in their root directory then login to WLC GUI, click on Commands and the details.

  1. Change the WLAN setting.
    WLAN > click on WLAN ID then Security > Layer3,
    Select the Over-ride Global Config box
    Choose Customized (Downloaded) webauth type from drop down box and select the login and login failure page then click apply.

2. Enter the username/Password and click on I agree with Policy Above.

Here is the complete Web Authentication Process(How it works: )