[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Cisco WebAuth appears to be blocking Skype application

Posted on 2013-01-21
Medium Priority
Last Modified: 2013-03-19
Hi Guys
I have a straight forward implementation of Cisco WebAuth on a pilot site.  WebAuth for normal browsing seems to be working fine and the 2 concurrent session limit we have set works equally well.  However, when we try to use Skype it it cannot log in?  There's not ACL's that are blocking and cannot put my finger on the issue.  Any ideas?
Question by:OIWA
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Expert Comment

ID: 38801967
This is the most common symptom. But you have to precise a bit more. Either the user is not redirected (i.e. he types a URL and never ends up going to the webauth page) either the user is redirected to correctly but the page itself does not appear.
For the first situation, check that a valid DNS server has been assigned to the client via DHCP (“ipconfig /all”), check that the DNS is reachable from the client (‘nslookup www.google.com”), check that the user entered a valid URL in order to be redirected, check also that the user was going on a HTTP url on port 80 (for example, reaching an ACS with http://localhost:2002 will not get you redirected since you are sending on port 2002 instead of 80).
For the second situation, it is most likely either a WLC problem (bug) or a client-side problem. It could be that the client has some firewall or blocking software or policy. It could be that they have configured a proxy in their web browser …
Important thing here. It might be a good idea to take a sniffer trace on the client PC. No need for special wireless software, a simple wireshark ran on the wireless adapter will show you if at least the WLC is replying and trying to redirect. You have two possibilities : either WLC is not replying, either the SSL handshake for the webauth page is going wrong. For the second, you can check if the user browser allows for SSLv3 (some only do sslv2) and if it could be too aggressive on certificate verification.
It is a common step to try to manually type to check if the webpage appears without worrying about DNS. Actually, you could type and get the same effect. Any ip address you ask will be redirected by the WLC. So typing will actually not make you work around the web redirection. Typing httpS:// will not work because WLC can redirect based on https traffic. Typing IS actually the way to get the page directly without doing any redirection.

Author Comment

ID: 38802046
WebAuth function and redirection is working fine, no problems there.  The user when authenticated is redirected to www.google.co.uk, also is working fine. Once logged in using WebAuth I can browse the Internet without any issues what so ever, no problems with anything in the normal browser.

As soon as I open Skype and try to log in it just sits there, it cannot authenticate at all.  I have tried the exact same machine on another Wireless LAN with WebAuth function and it works fine, no problem.  Back to Web Auth and Skype fails.  I have just taken a Wireshark Cap and will investigate.

Accepted Solution

OIWA earned 0 total points
ID: 38984540
Sorry for the delay in updates.

As it turned out it wasn't an issue with the WLC or Web Auth at all, rather our Firewall.  We had configured a new NAT pool for the Guest Network and whilst HTTP traffic was being returned to us correctly HTTPS traffic was not due to a routing issues with our ISP.  One of the many pitfalls we have come across with this particular provider.

Author Closing Comment

ID: 38998395
Issue was resolved from packet captures we took as part of our trouble shooting process already on going.  The TCP sequence not completing for https [443] was a key indicator and lead us to trouble shoot the connectivity with the ISP.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question