Wireless Access

Hi,

I'm trying to setup a web-auth configuration on my 5406zl and the WESM module but it do not work.

My configuration is as follows:
- WT.01.15
- VLAN1 : management
- WLAN1: Admin WLAN (not used yet)
- WLAN2: web-auth, no encryption
- Routing enabled between WLAN1 and WLAN2
- Connection to WLAN is ok.
- I can ping the WLAN2 IP address
- Radius is internal
- Web-auth pages are internal
- Empty web-auth "Allow list"

When I try to surf to acces the web-auth page I have the following error:
URL: "https://WESM-WLAN2-IP:444/WLAN2/login.html"
TEXT(firefox 3.0): "Connection failed... Firefox couldn't establish a connection to WESM-WLAN2-IP:444.
...
Site seems up, but the browser couldn't establish a connection..."

Here's what I tried:
- Tried in simple WEP64 configuration: it works
- Tried with/out WLAN2 IP in web-auth "Allow list": no change
- Reload of WESM module: no change

I'll be glad if someone could point me to any hint.

Max

Hi again,

I also tried:
- Moving web-auth on WLAN1. WLAN1 is now the only SSID available, but this did not change anything.
- Disabled my Windows XP Firewall

I also noticed that the web-auth configuration do not work until you reload the WESM module.

I also could give you config file if needed.

Max

Again me,

Finally, when all my tries did not get any results, I deleted the startup-confg and started from scratch.

I managed to have web-auth almost working. The DNS requests were not all passing through the WESM. Sometimes yes and most ofthen not. When they passed through, I finally had the internal login page displayed.

Then I wanted to restart the module to make a test. So I saved the config and restarted it. Then I get the same error message of my first post.
I then restarted the whole 5406zl and the web-auth worked again :)

During my debug session I noticed some problem with the internal Radius server and the web-auth. Despite radius was agreeing on my login/pwd, the WESM would'nt let me through:

Jul 31 11:59:36 2008: %CC-6-WEBAUTHFAILED: Station 00-09-B7-02-56-D2 failed web authentication on wlan 1
Jul 31 11:59:36 2008: %DAEMON-5-NOTICE: radiusd[5759]: Login OK: [guest] (from client localhost port 1 cli 00-09-B7-02-56-D2)

I had to use an external radius server to make it work and go further in my debugging.

Max

Note:
I couldn't configure IE7 to make it work with the web-auth. Firefox3.x is ok

Hi Max,

Is "Enable HTTPS" checked on the WESM?
Do you have a valig trustpoint?
Does your client get an IP address?

When you change from web-auth to no-auth, can you access your network/internet?

I attached my working configuration. On the router I've configured NAT.

Michael

Hi Michael and thanks for your reply,

- HTTPS is enabled (by default)
- I have the defaut TrustPoint and it is valid up to next year. When I try to create a new self-signed cert, the web interface give me the error "Unable to configure the new Truspoint: Not Writable".
- The Client receive an IP address from the WESM
- When I use WEP or other auth or encryption, the WESM works well

I'll test your config file and post the result here.

Thanks

Max

Hi Michael,

I compared your configuration and mine. Yours seems to be exempt of the securty configuration, or not ?

I attached my configuration with a test TrustPoint. Even with this test trustpoint created through the CLI, I can't see it on the web management page.

I confirm I can't create any key or certificate from the web pages. Perhaps I should change my WESM module ? I don't know where to go from here.

Max

Hi Max,

If I'm correct you can only use the local radius server for managing guest accounts.
I used a blank shared-key for the local radius.

In your config I see that you guest group is not configured for vlan 81.

Also I discovered a problem with timezones.
If I created a guest account with a starting date/time (through CLI or web). That account will become valid (given our timezone and daytime saving) 2 hours later.
Therefore I set my timezone to GMT and created account will become active instantly.

Michael

Hi Michael,

I tested again my configuration with your guest group vlan suggestion.

After a few tries/changes and else, web-auth worked for a few minutes(explained below). While it was working, external radius was working fine. So it's not Radius.

I noticed a serious instability in the web-auth service. I ran my tests with these OS:
Windows XP SP3 (Main test machine)
Windows Vista 32bits
Linux

While I never encountered any problem with the Linux station, I had very strange results on XP. Here's an exemple :
- Once I was authenticated, I could surf and else.
- Then I disconnected my station and reconnected it => not working anymore.
- Waited ~20mn => worked again.
- Surfed with it (to relax a bit) => not working anymore after 15mn

The behaviour of the Vista stations was very similar to XP.

I'm now installing an old Wi-Fi card to my Windows 2000 notebook. I'm not optimist on the result.

Max