In this post we will see how to implement and configure WLC to support internal Webauth.
Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except DHCP and DNS -related packets) from a particular client until that client has correctly supplied a valid username and password.
Web authentication is mostly used to deploy a guest-access network. We must remember that web authentication does not provide data encryption. Webauth is an authentication method without encryption.
Web authentication can be performed using:
- Default login window on the WLC
- Modification of the default login window on the WLC
- A customized login window that we download to the controller
- A customized login window that we configure on an external web server (External web authentication)
In this post we will only see the starting 3 ways because I don’t have any external webserver.
Let’s start with Configuration of WLC. We will follow these steps:
- Create a dynamic interface and fill all the required details.
- Create a WLAN and apply the settings.
- Configure WLC for Webauth (Internal).
- Create local user for testing.
1. Create a dynamic interface and fill all the required details.
From WLC GUI, Choose Controller > Interface > New and fill the details:
Netmask—255.255.255.0 (24 bits)
Primary DHCP Server—220.127.116.11(WLC Management IP for internal DHCP server)
Click Apply to save the changes.
2. Create a WLAN and apply the settings:
From the WLC GUI, click WLAN in the menu at the top, and click New on the upper right side. This page will appear. Fill Profile name and SSID.
A new WLANs > Edit window appears.
Check the status box to enable the WLAN.
From the Interface menu, select the name of the VLAN interface (webauth) that we created above.
Check the Broadcast SSID box.
Click on Security Tab
Click Layer 2 security and set to None.
Click the Layer 3 tab
Check the Web Policy box and choose the Authentication option.
Then click Apply from upper right side to save changes.
3. Configure WLC for Webauth(Internal).
Internal web authentication is the by default web authentication type on WLCs. NO need to change the configuration.
4. Create local user for testing:
We can use 3 ways:
Local authentication, RADIUS server, LDAP server
In this post we will tests with Local authentication.
WLC GUI, choose Security > AAA > Local Net Users > New
Enter the username, password and WLAN profile from drop down box.
Here we created 2 users:
Username: Sandeep, Password: webauth123
Username: Sandeep1, Password: webauth12345
Default login window on the WLC
1. Connect with Webauth WLAN.
2. Then a new browser will automatically open or we have to manually enter virtual interface IP from WLC : https://18.104.22.168/login.html. A Login window will appears
***In my WLC I have Virtual interface IP as 22.214.171.124
1. Login to WLC and modify the default login window by choosing Security > Web Auth > Web Login Page and click on Apply to save it. I changed the headline and message content.
A customized login window that we download to the controller
1. To download a customized login page, first start a TFTP/FTP server and put the login page in their root directory then login to WLC GUI, click on Commands and the details.
2. Change the WLAN setting.
WLAN > click on WLAN ID then Security > Layer3,
Select the Over-ride Global Config box
Choose Customized (Downloaded) webauth type from drop down box and select the login and login failure page then click apply.
4. Enter the username/Password and click on I agree with Policy Above.
Here is the complete Web Authentication Process(How it works: )
• We open a web browser and enter a URL, http://www.google.com. The client sends out a DNS request for this URL to get the IP for the destination. The WLC bypasses the DNS request to the DNS server and the DNS server responds back with a DNS reply, which contains the IP address of the destination http://www.google.com. This, in turn, is forwarded to the wireless clients.
*** In my above post I used DNS server as 126.96.36.199
• The client then tries to open a TCP connection with the destination IP address. It sends out a TCP SYN packet destined to the IP address of http://www.google.com.
• The WLC has rules configured for the client and hence can act as a proxy for http://www.google.com. It sends back a TCP SYN-ACK packet to the client with source as the IP address of www. google.com. The client sends back a TCP ACK packet in order to complete the three way TCP handshake and the TCP connection is fully established.
• The client sends an HTTP GET packet destined to www. google.com. The WLC intercepts this packet and sends it for redirection handling. The HTTP application gateway prepares a HTML body and sends it back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the default webpage URL of the WLC, for example, http://<Virtual-Server-IP>/login.html.
• The client closes the TCP connection with the IP address, for example, www. google.com.
• Now the client wants to go to http://188.8.131.52/login.html. Therefore, the client tries to open a TCP connection with the virtual IP address of the WLC. It sends a TCP SYN packet for 184.108.40.206 to the WLC.
• The WLC responds back with a TCP SYN-ACK and the client sends back a TCP ACK to the WLC in order to complete the handshake.
• The client sends a HTTP GET for /login.html destined to 220.127.116.11 in order to request for the login page.
• This request is allowed up to the Web Server of the WLC, and the server responds back with the default login page. The client receives the login page on the browser window where the user can go ahead and log in.