Solved

Cisco WebAuth appears to be blocking Skype application

Posted on 2013-01-21
4
454 Views
Last Modified: 2013-03-19
Hi Guys
I have a straight forward implementation of Cisco WebAuth on a pilot site.  WebAuth for normal browsing seems to be working fine and the 2 concurrent session limit we have set works equally well.  However, when we try to use Skype it it cannot log in?  There's not ACL's that are blocking and cannot put my finger on the issue.  Any ideas?
Cheers!
0
Comment
Question by:OIWA
  • 3
4 Comments
 
LVL 7

Expert Comment

by:avcontrol
ID: 38801967
This is the most common symptom. But you have to precise a bit more. Either the user is not redirected (i.e. he types a URL and never ends up going to the webauth page) either the user is redirected to 1.1.1.1 correctly but the page itself does not appear.
For the first situation, check that a valid DNS server has been assigned to the client via DHCP (“ipconfig /all”), check that the DNS is reachable from the client (‘nslookup www.google.com”), check that the user entered a valid URL in order to be redirected, check also that the user was going on a HTTP url on port 80 (for example, reaching an ACS with http://localhost:2002 will not get you redirected since you are sending on port 2002 instead of 80).
 
For the second situation, it is most likely either a WLC problem (bug) or a client-side problem. It could be that the client has some firewall or blocking software or policy. It could be that they have configured a proxy in their web browser …
 
Important thing here. It might be a good idea to take a sniffer trace on the client PC. No need for special wireless software, a simple wireshark ran on the wireless adapter will show you if at least the WLC is replying and trying to redirect. You have two possibilities : either WLC is not replying, either the SSL handshake for the webauth page is going wrong. For the second, you can check if the user browser allows for SSLv3 (some only do sslv2) and if it could be too aggressive on certificate verification.
 
It is a common step to try to manually type http://1.1.1.1 to check if the webpage appears without worrying about DNS. Actually, you could type http://6.6.6.6 and get the same effect. Any ip address you ask will be redirected by the WLC. So typing http://1.1.1.1 will actually not make you work around the web redirection. Typing httpS://1.1.1.1 will not work because WLC can redirect based on https traffic. Typing https://1.1.1.1/login.html IS actually the way to get the page directly without doing any redirection.
0
 

Author Comment

by:OIWA
ID: 38802046
Hi
WebAuth function and redirection is working fine, no problems there.  The user when authenticated is redirected to www.google.co.uk, also is working fine. Once logged in using WebAuth I can browse the Internet without any issues what so ever, no problems with anything in the normal browser.

As soon as I open Skype and try to log in it just sits there, it cannot authenticate at all.  I have tried the exact same machine on another Wireless LAN with WebAuth function and it works fine, no problem.  Back to Web Auth and Skype fails.  I have just taken a Wireshark Cap and will investigate.
Cheers!
0
 

Accepted Solution

by:
OIWA earned 0 total points
ID: 38984540
Sorry for the delay in updates.

As it turned out it wasn't an issue with the WLC or Web Auth at all, rather our Firewall.  We had configured a new NAT pool for the Guest Network and whilst HTTP traffic was being returned to us correctly HTTPS traffic was not due to a routing issues with our ISP.  One of the many pitfalls we have come across with this particular provider.
0
 

Author Closing Comment

by:OIWA
ID: 38998395
Issue was resolved from packet captures we took as part of our trouble shooting process already on going.  The TCP sequence not completing for https [443] was a key indicator and lead us to trouble shoot the connectivity with the ISP.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Suggested Solutions

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now