Customized Webauth Page Error

In this post we will learn about how to tar the webauth bundle and which software we need to use it to compress.

Today I spent almost 3 hours to upload webauth bundle to WLC.

I tried to archive tar file by using these software.
1. Power Archiver
2. 7 Zip
3. Winzip

But that always give me this error:

Cuwebauth1

I tried with both above mentioned software but that couldn’t work. It shows that’s there is something wrong with the tar file.

There are some limitations with custom webauth that vary with versions and bugs. Things to watch for include:

***The .tar file size (no more than 1Mb)
***The number of files in the .tar(I did not find a single document which shows the max number of files in .tar file)
***The filename length of the files (should be no more than 30 characters)

I have these files in my .tar:

Cuwebauth2

***I was having Evaluation PicoZip software earlier and it worked for me but now it’s expired. (So if you have it I think it will/should work, at-least it worked for me)

But frankly speaking I don’t believe that any windows based software will work.

I have already told that today I wasted almost 3 hours to get it work.
The magic software through which I Finally got it working is: CYGWIN (It worked for me like a charm)

From here we can download: https://cygwin.com/install.html

How to use this:
I am not good at linux but what I used here is very basic commands.

1. Make a directory

RSCCIEW ~
 $ mkdir webauth

2. Put the all files under this directory

Cuwebauth3

3. Then jump to this directory

RSCCIEW ~
 $ cd webauth

Check which files are under this directory?

RSCCIEW ~/webauth
 $ ls
 aup.html failed.html login.html logout.html yourlogo.jpg

4. Now start archiving into .tar format

RSCCIEW ~/webauth
 $ tar -cvf testwebauth.tar *
 aup.html
 failed.html
 login.html
 logout.html
 yourlogo.jpg

5. Verify .tar file under the directory

RSCCIEW ~/webauth
 $ ls
 aup.html failed.html login.html logout.html testwebauth.tar yourlogo.jpg
RSCCIEW ~/webauth
 $

That’s it.

Now let’s go to WLC and try to upload this file (testwebauth.tar ).

***Don’t forget to put this file in the root directory for TFTP server

Cuwebauth4

Cuwebauth5

Cuwebauth6

That must/should be successful.

Advertisements

WLC WebAuth configuration

In this post we will see how to implement and configure WLC to support internal Webauth.
Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except DHCP and DNS -related packets) from a particular client until that client has correctly supplied a valid username and password.
Web authentication is mostly used to deploy a guest-access network. We must remember that web authentication does not provide data encryption. Webauth is an authentication method without encryption.

Web authentication can be performed using:

  • Default login window on the WLC
  • Modification of the default login window on the WLC
  • A customized login window that we download to the controller
  • A customized login window that we configure on an external web server (External web authentication)

In this post we will only see the starting 3 ways because I don’t have any external webserver.

Let’s start with Configuration of WLC. We will follow these steps:

  1. Create a dynamic interface and fill all the required details.
  2. Create a WLAN and apply the settings.
  3. Configure WLC for Webauth (Internal).
  4. Create local user for testing.
  5. Verification

1. Create a dynamic interface and fill all the required details.

From WLC GUI, Choose Controller > Interface > New and fill the details:
IP Address—10.99.81.1
Netmask—255.255.255.0 (24 bits)
Gateway—10.99.81.254
Port Number—1
Primary DHCP Server—172.99.80.1(WLC Management IP for internal DHCP server)

webauth1

webauth2

Click Apply to save the changes.

2. Create a WLAN and apply the settings:

From the WLC GUI, click WLAN in the menu at the top, and click New on the upper right side. This page will appear. Fill Profile name and SSID.

webauth3

Click Apply.

A new WLANs > Edit window appears.
Check the status box to enable the WLAN.
From the Interface menu, select the name of the VLAN interface (webauth) that we created above.
Check the Broadcast SSID box.

webauth4

Click on Security Tab
Click Layer 2 security and set to None.

webauth5

Click the Layer 3 tab
Check the Web Policy box and choose the Authentication option.

webauth6

Then click Apply from upper right side to save changes.

3. Configure WLC for Webauth(Internal).

Internal web authentication is the by default web authentication type on WLCs. NO need to change the configuration.

4. Create local user for testing:

We can use 3 ways:
Local authentication, RADIUS server, LDAP server
In this post we will tests with Local authentication.

WLC GUI, choose Security > AAA > Local Net Users > New
Enter the username, password and WLAN profile from drop down box.

webauth7

Click Apply
Here we created 2 users:
Username: Sandeep, Password: webauth123
Username: Sandeep1, Password: webauth12345

webauth8
5. Verification

Default login window on the WLC
1. Connect with Webauth WLAN.

webauth9

2. Then a new browser will automatically open or we have to manually enter virtual interface IP from WLC : https://1.1.1.1/login.html. A Login window will appears
***In my WLC I have Virtual interface IP as 2.2.2.2

webauth10
3. Enter the username and password of the Local Net User that we created:
Username: sandeep, Password: webauth123

webauth11
Modification of the default login window on the WLC

1. Login to WLC and modify the default login window by choosing Security > Web Auth > Web Login Page and click on Apply to save it. I changed the headline and message content.

webauth12

2. Now connect to webauth WLAN. Login page will appear like this.
webauth13
3. Enter the username and password.

webauth14

A customized login window that we download to the controller

1. To download a customized login page, first start a TFTP/FTP server and put the login page in their root directory then login to WLC GUI, click on Commands and the details.

webauth15
2. Change the WLAN setting.
WLAN > click on WLAN ID then Security > Layer3,
Select the Over-ride Global Config box
Choose Customized (Downloaded) webauth type from drop down box and select the login and login failure page then click apply.

webauth16
3. Connect to WLAN “webauth” then this login page will appear.

webauth17

4. Enter the username/Password and click on I agree with Policy Above.

webauth18

Here is the complete Web Authentication Process(How it works: )

• We open a web browser and enter a URL, http://www.google.com. The client sends out a DNS request for this URL to get the IP for the destination. The WLC bypasses the DNS request to the DNS server and the DNS server responds back with a DNS reply, which contains the IP address of the destination http://www.google.com. This, in turn, is forwarded to the wireless clients.
*** In my above post I used DNS server as 8.8.8.8

• The client then tries to open a TCP connection with the destination IP address. It sends out a TCP SYN packet destined to the IP address of http://www.google.com.

• The WLC has rules configured for the client and hence can act as a proxy for http://www.google.com. It sends back a TCP SYN-ACK packet to the client with source as the IP address of www. google.com. The client sends back a TCP ACK packet in order to complete the three way TCP handshake and the TCP connection is fully established.

• The client sends an HTTP GET packet destined to www. google.com. The WLC intercepts this packet and sends it for redirection handling. The HTTP application gateway prepares a HTML body and sends it back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the default webpage URL of the WLC, for example, http://<Virtual-Server-IP>/login.html.

• The client closes the TCP connection with the IP address, for example, www. google.com.

• Now the client wants to go to http://2.2.2.2/login.html. Therefore, the client tries to open a TCP connection with the virtual IP address of the WLC. It sends a TCP SYN packet for 2.2.2.2 to the WLC.

• The WLC responds back with a TCP SYN-ACK and the client sends back a TCP ACK to the WLC in order to complete the handshake.

• The client sends a HTTP GET for /login.html destined to 2.2.2.2 in order to request for the login page.

• This request is allowed up to the Web Server of the WLC, and the server responds back with the default login page. The client receives the login page on the browser window where the user can go ahead and log in.