Cisco WebAuth appears to be blocking Skype application
Hi Guys
I have a straight forward implementation of Cisco WebAuth on a pilot site. WebAuth for normal browsing seems to be working fine and the 2 concurrent session limit we have set works equally well. However, when we try to use Skype it it cannot log in? There's not ACL's that are blocking and cannot put my finger on the issue. Any ideas?
Cheers!
I have a straight forward implementation of Cisco WebAuth on a pilot site. WebAuth for normal browsing seems to be working fine and the 2 concurrent session limit we have set works equally well. However, when we try to use Skype it it cannot log in? There's not ACL's that are blocking and cannot put my finger on the issue. Any ideas?
Cheers!
ASKER
Hi
WebAuth function and redirection is working fine, no problems there. The user when authenticated is redirected to www.google.co.uk, also is working fine. Once logged in using WebAuth I can browse the Internet without any issues what so ever, no problems with anything in the normal browser.
As soon as I open Skype and try to log in it just sits there, it cannot authenticate at all. I have tried the exact same machine on another Wireless LAN with WebAuth function and it works fine, no problem. Back to Web Auth and Skype fails. I have just taken a Wireshark Cap and will investigate.
Cheers!
WebAuth function and redirection is working fine, no problems there. The user when authenticated is redirected to www.google.co.uk, also is working fine. Once logged in using WebAuth I can browse the Internet without any issues what so ever, no problems with anything in the normal browser.
As soon as I open Skype and try to log in it just sits there, it cannot authenticate at all. I have tried the exact same machine on another Wireless LAN with WebAuth function and it works fine, no problem. Back to Web Auth and Skype fails. I have just taken a Wireshark Cap and will investigate.
Cheers!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Issue was resolved from packet captures we took as part of our trouble shooting process already on going. The TCP sequence not completing for https [443] was a key indicator and lead us to trouble shoot the connectivity with the ISP.
For the first situation, check that a valid DNS server has been assigned to the client via DHCP (“ipconfig /all”), check that the DNS is reachable from the client (‘nslookup www.google.com”), check that the user entered a valid URL in order to be redirected, check also that the user was going on a HTTP url on port 80 (for example, reaching an ACS with http://localhost:2002 will not get you redirected since you are sending on port 2002 instead of 80).
For the second situation, it is most likely either a WLC problem (bug) or a client-side problem. It could be that the client has some firewall or blocking software or policy. It could be that they have configured a proxy in their web browser …
Important thing here. It might be a good idea to take a sniffer trace on the client PC. No need for special wireless software, a simple wireshark ran on the wireless adapter will show you if at least the WLC is replying and trying to redirect. You have two possibilities : either WLC is not replying, either the SSL handshake for the webauth page is going wrong. For the second, you can check if the user browser allows for SSLv3 (some only do sslv2) and if it could be too aggressive on certificate verification.
It is a common step to try to manually type http://1.1.1.1 to check if the webpage appears without worrying about DNS. Actually, you could type http://6.6.6.6 and get the same effect. Any ip address you ask will be redirected by the WLC. So typing http://1.1.1.1 will actually not make you work around the web redirection. Typing httpS://1.1.1.1 will not work because WLC can redirect based on https traffic. Typing https://1.1.1.1/login.html IS actually the way to get the page directly without doing any redirection.