Guest WLAN with Web Authentication (WebAuth)

Most organisations need to provide internet access to visitors, contractors, and personal devices without granting them access to the internal corporate network. A guest WLAN with Web Authentication (WebAuth) achieves this by broadcasting a separate SSID that places connecting clients into an isolated VLAN, then intercepting all HTTP/HTTPS traffic and redirecting the client's browser to a captive portal login page before any internet access is granted. Authentication can be as simple as accepting a terms-of-use page (click-through) or as sophisticated as username/password validation against a RADIUS server.

WebAuth is enforced entirely by the Cisco Wireless LAN Controller (WLC). When a guest client associates with the SSID, the WLC places it in a pre-authentication state — the client receives a DHCP address but all traffic is intercepted by a redirect ACL. Only DNS lookups and HTTPS traffic to the portal are allowed through; everything else is blocked until the client completes the portal login. Once authenticated, the WLC moves the client to a post-authentication state where normal internet access is permitted. For how the WLC and APs communicate, see Controller-Based Networking.

Before starting this lab, ensure you understand WLC fundamentals at WLC Getting Started and SSID-to-VLAN mapping at WLC SSID & VLAN Mapping. For the switch trunk configuration that carries the guest VLAN from the WLC to the distribution switch, see Trunk Port Configuration and VLAN Creation & Management. For RADIUS-based authentication that can back the WebAuth portal, see AAA RADIUS Configuration. For the broader WLC and AP ecosystem, see Access Points & WLC and Lightweight vs Autonomous APs.

1. Guest WLAN & WebAuth — Core Concepts

WebAuth Client State Machine

Every guest client passes through three states from association to full internet access:

  State 1 — ASSOCIATED (pre-auth)
  ┌──────────────────────────────────────────────────────────────┐
  │  Client associates to GUEST-SSID (open, no WPA key)          │
  │  Client obtains IP via DHCP from Guest VLAN (192.168.100.x)  │
  │  WLC marks client: WebAuth Required                          │
  │  Redirect ACL applied — only DNS + portal HTTPS pass         │
  └──────────────────────────────────────────────────────────────┘
          │  Client opens browser → any URL
          ▼
  State 2 — REDIRECT (captive portal intercept)
  ┌──────────────────────────────────────────────────────────────┐
  │  WLC intercepts HTTP GET / HTTPS request                     │
  │  Sends HTTP 302 redirect to captive portal URL               │
  │  Browser displays: https://1.1.1.1:8443/login.html           │
  │  Client enters credentials (or clicks Accept)                │
  └──────────────────────────────────────────────────────────────┘
          │  Credentials submitted to WLC (or RADIUS)
          ▼
  State 3 — AUTHENTICATED (post-auth)
  ┌──────────────────────────────────────────────────────────────┐
  │  WLC validates credentials                                   │
  │  Redirect ACL removed — full internet access permitted       │
  │  WLC optionally redirects browser to success URL             │
  │  Client state: RUN (normal forwarding)                       │
  └──────────────────────────────────────────────────────────────┘

WebAuth Types — Internal vs External

Type	Portal Hosted By	Customisation	Authentication Backend	Best For
Internal WebAuth	WLC built-in HTTPS server (port 8443)	Limited — logo and text only via WLC GUI	WLC local user database or RADIUS	Small deployments, labs, simple guest access
External WebAuth	Separate web server (ISE, ClearPass, custom)	Full HTML/CSS control — branded portal	ISE, RADIUS, AD, social login	Enterprise deployments, branded portals, ISE Guest
Passthrough (Splash Page)	WLC built-in	Limited	None — terms acceptance only, no credentials	Coffee shop / hotel style click-through

Key Components of a Guest WebAuth Deployment

Component	Purpose	Configuration Location
Guest VLAN	Isolates guest traffic from the corporate LAN — guest clients get IPs in a separate subnet routed only to internet, not internal resources	WLC → Controller → Interfaces; Switch VLAN database and trunk
Guest SSID	Open (no WPA pre-shared key) SSID broadcast for visitors — mapped to the guest VLAN interface	WLC → WLANs → Create New
Redirect ACL	Pre-auth ACL applied to guest clients — permits DNS and portal HTTPS, denies all other traffic (the deny is what triggers the redirect to the portal). See ACL Overview	WLC → Security → Access Control Lists
WebAuth Policy	Selects WebAuth type (internal/external/passthrough), portal URL, success redirect URL, and credential source	WLC → WLANs → [WLAN] → Security → Layer 3
Guest Local Users	Username/password accounts stored on the WLC for internal WebAuth credential validation	WLC → Security → Local Net Users
Virtual Interface (VIP)	Dummy IP address used as the redirect destination — all guest browsers are redirected here. Must be a non-routable address (conventionally 1.1.1.1) so the WLC is always the only device that responds to it	WLC → Controller → Interfaces → Virtual

Guest Traffic Flow Through the Network

  Guest Laptop
       |
       | 802.11 (open SSID: NetsTuts-Guest)
       ▼
  Access Point (LAP)
       |
       | CAPWAP tunnel (all guest frames encapsulated back to WLC)
       ▼
  Cisco WLC
       | Guest VLAN 100 interface: 192.168.100.2/24
       | DHCP scope: 192.168.100.10–200 (served by switch SVI)
       | Redirect ACL applied (pre-auth state)
       ▼
  Distribution Switch
       | VLAN 100 SVI: 192.168.100.1 (default gateway + DHCP)
       | VLAN 100 has NO route to 10.0.0.0/24 (corporate)
       | VLAN 100 routes to internet only via firewall
       ▼
  Firewall / Router
       |
       ▼
  Internet

  Corporate LAN (10.0.0.0/24) — UNREACHABLE from VLAN 100
  ─────────────────────────────────────────────────────────
  Separation is enforced at Layer 3 — no route from VLAN 100
  to internal subnets, plus an explicit firewall deny rule.

Traffic isolation between the guest VLAN (100) and the corporate LAN must be enforced at Layer 3. For how SVIs and inter-VLAN routing work on multilayer switches, see Inter-VLAN Routing on a Layer 3 Switch.

2. Lab Topology & Scenario

The NetsTuts organisation needs a guest WLAN for visitors. Guests must accept a terms-of-use page and enter credentials before accessing the internet. Guest traffic must be completely isolated from the corporate LAN (10.0.0.0/24). The WLC already manages lightweight APs on the corporate WLAN (VLAN 10). This lab adds a second SSID — NetsTuts-Guest — on VLAN 100 with internal WebAuth.

  ┌──────────────────────────────────────────────────────────────┐
  │                       NetsTuts WLC                           │
  │  Management Interface: VLAN 10  — 10.0.0.50/24              │
  │  AP-Manager Interface: VLAN 10  — 10.0.0.51/24              │
  │  Guest Interface:      VLAN 100 — 192.168.100.2/24          │
  │  Virtual Interface:    1.1.1.1  (redirect VIP)              │
  └───────────────────────────┬──────────────────────────────────┘
                              │ Trunk (VLAN 10 native + VLAN 100)
                              │
                 ┌────────────▼────────────┐
                 │   Distribution Switch   │
                 │  VLAN 10 SVI: 10.0.0.1  │
                 │  VLAN 100 SVI: 192.168.100.1 (GW + DHCP) │
                 └────────────┬────────────┘
                              │
                        ┌─────▼──────┐
                        │  Firewall  │  Routes VLAN 100 → internet
                        │            │  Denies VLAN 100 → 10.0.0.0/24
                        └────────────┘

  Wireless SSIDs:
  ┌──────────────────────┬───────────────────┬───────────────────┐
  │ SSID                 │ NetsTuts-Corp      │ NetsTuts-Guest    │
  │ Layer 2 Security     │ WPA2-PSK           │ None (open)       │
  │ Layer 3 Security     │ None               │ Web Policy: Auth  │
  │ VLAN                 │ 10                 │ 100               │
  │ Client Subnet        │ 10.0.0.0/24        │ 192.168.100.0/24  │
  │ Internet Access      │ Yes                │ Yes (post-auth)   │
  │ Corporate LAN Access │ Yes                │ No (denied)       │
  └──────────────────────┴───────────────────┴───────────────────┘

  Guest Local Users (WLC):
    Username: visitor1   Password: Guest@2024
    Username: visitor2   Password: Guest@2024

3. Step 1 — Create Guest VLAN on the Distribution Switch

Before touching the WLC, create VLAN 100 on the distribution switch, add it to the trunk port connecting to the WLC, and configure a DHCP scope for guest clients. The SVI provides the default gateway:

NetsTuts_SW>en
NetsTuts_SW#conf t

! ── Create guest VLAN ─────────────────────────────────────
NetsTuts_SW(config)#vlan 100
NetsTuts_SW(config-vlan)#name GUEST-WLAN
NetsTuts_SW(config-vlan)#exit

! ── Add VLAN 100 to the trunk toward the WLC ──────────────
NetsTuts_SW(config)#interface GigabitEthernet0/1
NetsTuts_SW(config-if)#description Trunk to WLC
NetsTuts_SW(config-if)#switchport mode trunk
NetsTuts_SW(config-if)#switchport trunk allowed vlan add 100
NetsTuts_SW(config-if)#exit

! ── SVI — default gateway for guest clients ───────────────
NetsTuts_SW(config)#interface vlan 100
NetsTuts_SW(config-if)#description Guest WLAN Gateway
NetsTuts_SW(config-if)#ip address 192.168.100.1 255.255.255.0
NetsTuts_SW(config-if)#no shutdown
NetsTuts_SW(config-if)#exit

! ── DHCP scope for guest clients on VLAN 100 ──────────────
NetsTuts_SW(config)#ip dhcp excluded-address 192.168.100.1 192.168.100.9
NetsTuts_SW(config)#ip dhcp pool GUEST-POOL
NetsTuts_SW(dhcp-config)#network 192.168.100.0 255.255.255.0
NetsTuts_SW(dhcp-config)#default-router 192.168.100.1
NetsTuts_SW(dhcp-config)#dns-server 8.8.8.8 8.8.4.4
NetsTuts_SW(dhcp-config)#lease 0 4
NetsTuts_SW(dhcp-config)#exit

NetsTuts_SW(config)#end
NetsTuts_SW#wr

The DHCP lease is set to 4 hours (lease 0 4) — appropriate for a transient guest population to reclaim IPs promptly. DNS servers point to public resolvers (8.8.8.8) rather than the internal DNS server, preventing guests from resolving internal hostnames. For DHCP details, see DHCP Server Configuration. For trunk port configuration, see Trunk Port Configuration and VLAN Creation & Management.

4. Step 2 — Create the Guest Dynamic Interface on the WLC

On the WLC, a dynamic interface is the WLC's representation of a VLAN — it defines the VLAN tag, the WLC's own IP address on that VLAN, and the DHCP server to use for clients on that interface. Navigate to Controller → Interfaces → New:

  WLC GUI — Controller → Interfaces → [New]
  ┌───────────────────────────────────────────────────────┐
  │  Interface Name:     guest-vlan100                    │
  │  VLAN Id:            100                              │
  └───────────────────────────────────────────────────────┘
  [Apply] — then fill in interface details:
  ┌───────────────────────────────────────────────────────┐
  │  IP Address:          192.168.100.2                   │
  │  Netmask:             255.255.255.0                   │
  │  Gateway:             192.168.100.1  ← Switch SVI     │
  │  VLAN Identifier:     100                             │
  │  Physical Port:       (select WLC uplink port)        │
  │  Primary DHCP Server: 192.168.100.1  ← Switch SVI     │
  │  ACL:                 (leave blank for now)           │
  └───────────────────────────────────────────────────────┘
  [Apply] → [Save Configuration]

The WLC's guest interface IP (192.168.100.2) and the switch SVI (192.168.100.1) are in the same /24 subnet but are distinct addresses. The switch SVI is the DHCP server and the default gateway that guest clients will use. The WLC interface IP is used for CAPWAP communication on that VLAN. Ensure the Physical Port field matches the WLC uplink port connected to the distribution switch trunk. For more on WLC interface setup, see WLC Getting Started.

5. Step 3 — Configure the Pre-Authentication Redirect ACL

The redirect ACL defines what a guest client can do before authenticating. It must permit DNS (so clients can resolve hostnames) and permit HTTPS to the WLC's virtual IP (so the portal page loads). All other traffic is denied — and this is the key point: traffic that is denied by this ACL is what the WLC redirects to the captive portal, not what it silently drops. Navigate to Security → Access Control Lists → New:

  WLC GUI — Security → Access Control Lists → New
  ┌───────────────────────────────────────────────────────┐
  │  ACL Name:   GUEST-REDIRECT-ACL                       │
  │  ACL Type:   IPv4                                     │
  └───────────────────────────────────────────────────────┘
  [Apply] — then add rules:

  Rule 1 — Permit DNS queries (client resolves hostnames)
  ┌───────────────────────────────────────────────────────┐
  │  Sequence:    1    Action: Permit                     │
  │  Protocol:    UDP                                     │
  │  Source:      Any                                     │
  │  Destination: Any          Dst Port: 53               │
  └───────────────────────────────────────────────────────┘

  Rule 2 — Permit DNS replies (src port 53 returning)
  ┌───────────────────────────────────────────────────────┐
  │  Sequence:    2    Action: Permit                     │
  │  Protocol:    UDP                                     │
  │  Source:      Any  Src Port: 53                       │
  │  Destination: Any                                     │
  └───────────────────────────────────────────────────────┘

  Rule 3 — Permit HTTPS to WLC Virtual IP (portal page)
  ┌───────────────────────────────────────────────────────┐
  │  Sequence:    3    Action: Permit                     │
  │  Protocol:    TCP                                     │
  │  Source:      Any                                     │
  │  Destination: 1.1.1.1 / 255.255.255.255  Port: 8443  │
  └───────────────────────────────────────────────────────┘

  Rule 4 — Permit HTTP to WLC Virtual IP
  ┌───────────────────────────────────────────────────────┐
  │  Sequence:    4    Action: Permit                     │
  │  Protocol:    TCP                                     │
  │  Source:      Any                                     │
  │  Destination: 1.1.1.1 / 255.255.255.255  Port: 80    │
  └───────────────────────────────────────────────────────┘

  Rule 5 — Deny all other traffic (TRIGGERS the redirect)
  ┌───────────────────────────────────────────────────────┐
  │  Sequence:    5    Action: Deny                       │
  │  Protocol:    Any                                     │
  │  Source:      Any                                     │
  │  Destination: Any                                     │
  └───────────────────────────────────────────────────────┘

  [Apply] → [Save Configuration]

The ACL logic here is the opposite of a typical firewall deny. Traffic that is permitted (DNS, portal HTTPS) passes through uninterrupted. Traffic that is denied (rule 5 — all other HTTP/HTTPS) is intercepted by the WLC WebAuth engine and redirected to the captive portal URL. If rule 5 were set to permit, HTTP traffic would pass freely and the portal would never appear — guests would have full internet access without authenticating. For ACL syntax and wildcard mask details, see Named ACLs and Wildcard Masks.

Virtual Interface IP: The WLC Virtual Interface must be configured with a non-routable IP — conventionally 1.1.1.1. When a guest browser is redirected to https://1.1.1.1:8443/login.html, the WLC intercepts this request and serves the portal page. The virtual IP is never actually routed across the network. Verify or set it at Controller → Interfaces → Virtual.

6. Step 4 — Create the Guest WLAN (SSID)

Navigate to WLANs → Create New → Go. The WLAN ties together the guest interface, open Layer 2 security (no PSK), and the WebAuth Layer 3 policy:

  WLC GUI — WLANs → Create New → [Go]
  ┌───────────────────────────────────────────────────────┐
  │  Type:         WLAN                                   │
  │  Profile Name: NetsTuts-Guest                         │
  │  SSID:         NetsTuts-Guest                         │
  │  ID:           2   (ID 1 = corporate WLAN)            │
  └───────────────────────────────────────────────────────┘
  [Apply]

  ── Tab: General ─────────────────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Status:            Enabled  ✅                       │
  │  Interface/Group:   guest-vlan100                     │
  │  Broadcast SSID:    Enabled  ✅                       │
  └───────────────────────────────────────────────────────┘

  ── Tab: Security → Layer 2 ──────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Layer 2 Security:  None  (open — no WPA key)         │
  │  MAC Filtering:     Disabled                          │
  └───────────────────────────────────────────────────────┘

  ── Tab: Security → Layer 3 ──────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Layer 3 Security:       Web Policy  ✅               │
  │  Web Policy:             ● Authentication             │
  │                          ○ Passthrough                │
  │                          ○ Conditional Web Redirect   │
  │                          ○ Splash Page Web Redirect   │
  │                                                       │
  │  Preauthentication ACL:  GUEST-REDIRECT-ACL  ✅       │
  └───────────────────────────────────────────────────────┘

  ── Tab: Security → AAA Servers ──────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Authentication Server 1: None                        │
  │  (None = use WLC local Net Users for internal WebAuth)│
  │  (Select a RADIUS server here for RADIUS-backed auth) │
  └───────────────────────────────────────────────────────┘

  ── Tab: Advanced ─────────────────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  DHCP Addr. Assignment:  Required  ✅                 │
  │  Client Exclusion:       Enabled   ✅  (60 sec)       │
  │  Session Timeout:        1800 sec  (30 min)           │
  └───────────────────────────────────────────────────────┘

  [Apply] → [Save Configuration]

Web Policy: Authentication requires username and password at the portal. Passthrough displays a splash/terms page with a single Accept button and no credentials. The Preauthentication ACL field is critical — it links the redirect ACL from Step 3. Without it, no pre-auth filtering occurs and the redirect will not work. Session Timeout (1800 sec = 30 min) automatically de-authenticates idle guests, freeing IP leases and enforcing re-authentication. For SSID and VLAN concepts, see WLC SSID & VLAN Mapping. For Wi-Fi security types including WPA2 used on the corporate SSID, see the Wi-Fi Security overview.

7. Step 5 — Create Guest Local User Accounts

For internal WebAuth, the WLC validates credentials against its local user database. Navigate to Security → Local Net Users → New:

  WLC GUI — Security → Local Net Users → [New]

  User 1:
  ┌───────────────────────────────────────────────────────┐
  │  Username:    visitor1                                │
  │  Password:    Guest@2024                              │
  │  Confirm:     Guest@2024                              │
  │  Guest User:  ✅ Enabled                              │
  │  Lifetime:    86400 seconds  (24 hours — then expired)│
  │  WLAN Id:     2  (NetsTuts-Guest only)                │
  │  Description: Daily guest pass                        │
  └───────────────────────────────────────────────────────┘
  [Apply]

  User 2:
  ┌───────────────────────────────────────────────────────┐
  │  Username:    visitor2                                │
  │  Password:    Guest@2024                              │
  │  Guest User:  ✅ Enabled                              │
  │  Lifetime:    86400 seconds                           │
  │  WLAN Id:     2                                       │
  └───────────────────────────────────────────────────────┘
  [Apply] → [Save Configuration]

Enabling Guest User marks these as time-limited accounts — the WLC automatically expires them after the Lifetime elapses. Scoping to WLAN Id: 2 prevents these credentials from authenticating on any other WLAN. For production deployments with many daily guests, use a RADIUS server such as Cisco ISE with a Guest Portal for automated account creation, sponsor-approval workflows, and automatic expiry at scale — local accounts on the WLC do not scale beyond a handful of users. See AAA RADIUS Configuration.

8. Step 6 — Customise the Internal WebAuth Login Page

The WLC's internal portal can be lightly branded with a logo, headline, and terms message. Navigate to Security → Web Auth → Web Login Page:

  WLC GUI — Security → Web Auth → Web Login Page
  ┌───────────────────────────────────────────────────────┐
  │  Web Authentication Type: Internal (Default) ✅        │
  │                                                       │
  │  Cisco Logo:    Hide ✅  (replace with custom logo)   │
  │  Custom Logo:   Upload netstuts-logo.png              │
  │                                                       │
  │  Page Title:    NetsTuts Guest Wi-Fi                  │
  │  Message:       Welcome. By logging in you agree      │
  │                 to our acceptable use policy.         │
  │                                                       │
  │  Redirect URL after login:                            │
  │                 https://netstuts.com                  │
  └───────────────────────────────────────────────────────┘
  [Preview] — verify appearance in the preview pane
  [Apply] → [Save Configuration]

The Redirect URL after login sends the guest's browser to a welcome page immediately after successful authentication — confirming to the user that they are now online. If left blank, the browser stays on the WLC portal page after login. For full HTML/CSS branding and custom portal logic, an External WebAuth deployment pointing to Cisco ISE or a dedicated web server is required.

9. Verification

Monitor → Clients — Guest Client State

  WLC GUI — Monitor → Clients

  Before authentication (pre-auth):
  ┌────────────────────┬─────────────────┬────────────────┬────────────────┐
  │ Client MAC         │ IP Address      │ WLAN           │ Status         │
  ├────────────────────┼─────────────────┼────────────────┼────────────────┤
  │ a4:c3:f0:11:22:33  │ 192.168.100.15  │ NetsTuts-Guest │ WebAuth Reqd   │
  └────────────────────┴─────────────────┴────────────────┴────────────────┘

  After successful authentication (post-auth):
  ┌────────────────────┬─────────────────┬────────────────┬────────────────┐
  │ Client MAC         │ IP Address      │ WLAN           │ Status         │
  ├────────────────────┼─────────────────┼────────────────┼────────────────┤
  │ a4:c3:f0:11:22:33  │ 192.168.100.15  │ NetsTuts-Guest │ Associated     │
  │                    │                 │                │ (RUN)          │
  └────────────────────┴─────────────────┴────────────────┴────────────────┘

WebAuth Reqd means the client has an IP address and is associated with the SSID but has not completed portal authentication — the redirect ACL is active. Associated (RUN) means authentication succeeded and the client has full internet access. Click the client MAC address for detailed information including authentication method, signal strength, and policy applied.

WLC CLI — show client summary and show client detail

! ── Connect to WLC CLI via SSH ────────────────────────────
(Cisco Controller) >show client summary

Number of Clients................................ 3

MAC Address         AP Name         Status         WLAN Auth Protocol
------------------- --------------- -------------- ---- ---- --------
a4:c3:f0:11:22:33   NetsTuts-AP-01  Associated     2    Yes  802.11ac
b8:27:eb:44:55:66   NetsTuts-AP-01  WebAuth Reqd   2    No   802.11n
c0:ee:fb:77:88:99   NetsTuts-AP-02  Associated     1    Yes  802.11ac

! ── Detailed client info ──────────────────────────────────
(Cisco Controller) >show client detail a4:c3:f0:11:22:33

Client MAC Address............................... a4:c3:f0:11:22:33
Client Username.................................. visitor1
AP Name.......................................... NetsTuts-AP-01
Client State..................................... Associated
Wireless LAN Id.................................. 2
WLAN Profile Name................................ NetsTuts-Guest
Interface........................................ guest-vlan100
VLAN............................................. 100
IP Address....................................... 192.168.100.15
Security Policy Completed........................ Yes
Policy Type...................................... WebAuth
Web Security Policy.............................. Passed
Session Timeout.................................. 1800

show wlan summary and show acl detailed

(Cisco Controller) >show wlan summary

WLAN ID  Profile Name       Status   Interface       
-------  -----------------  -------  ---------------
1        NetsTuts-Corp      Enabled  management      
2        NetsTuts-Guest     Enabled  guest-vlan100   

(Cisco Controller) >show acl detailed GUEST-REDIRECT-ACL

ACL Name: GUEST-REDIRECT-ACL
  Seq  Action  Protocol  Src IP         Src Port  Dst IP          Dst Port
  ---  ------  --------  -------------  --------  --------------  --------
  1    Permit  UDP(17)   0.0.0.0/0      Any       0.0.0.0/0       53
  2    Permit  UDP(17)   0.0.0.0/0      53        0.0.0.0/0       Any
  3    Permit  TCP(6)    0.0.0.0/0      Any       1.1.1.1/32      8443
  4    Permit  TCP(6)    0.0.0.0/0      Any       1.1.1.1/32      80
  5    Deny    Any       0.0.0.0/0      Any       0.0.0.0/0       Any

End-to-End WebAuth Validation Checklist

Test	Expected Result	Confirms
Connect to NetsTuts-Guest SSID (no password)	Client associates and receives 192.168.100.x IP	Open SSID, guest VLAN interface, and DHCP scope all working
Open browser to a plain HTTP URL (e.g., http://neverssl.com)	Browser redirects to `https://1.1.1.1:8443/login.html`	Redirect ACL and WebAuth engine intercepting HTTP traffic correctly
Enter credentials: visitor1 / Guest@2024 and submit	Browser redirects to https://netstuts.com — internet access granted	Local user authentication successful, post-auth policy applied
Ping 10.0.0.1 (corporate gateway) from guest client	Ping fails — no response	Guest VLAN isolation enforced at Layer 3
Check WLC Monitor → Clients	Status changes from WebAuth Reqd to Associated (RUN) after login	WLC tracking client authentication state correctly
Wait 30 minutes (Session Timeout expiry)	Client is de-authenticated and must re-authenticate on next browser open	Session timeout and re-auth enforcement working

Verification Command Summary

Command / Location	What It Shows	Primary Use
`show client summary` (WLC CLI)	All associated clients — MAC, AP, status (Associated / WebAuth Reqd), WLAN ID, auth state	Quick overview of all connected clients and authentication status
`show client detail [MAC]` (WLC CLI)	Full client detail — IP, VLAN, policy type, auth method, WebAuth status, ACL applied, session timeout	Confirm a specific client's authentication state and applied policies
`show wlan summary` (WLC CLI)	All WLANs — ID, profile name, status, interface mapped	Confirm guest WLAN is enabled and mapped to the correct guest interface
`show acl detailed [name]` (WLC CLI)	Redirect ACL rules — sequence, action, protocol, source, destination, port	Verify redirect ACL rules are correctly defined and ordered
Monitor → Clients (WLC GUI)	Real-time client table with status, AP, WLAN, and IP	Visual confirmation of client state transitions during WebAuth testing
Monitor → Statistics → WLAN (WLC GUI)	Per-WLAN counters — associations, authentications, WebAuth success/failure counts	Operational monitoring — detect authentication failures and usage patterns

10. Troubleshooting Guest WebAuth Issues

Problem	Symptom	Cause	Fix
Browser never redirects to login page	Guest gets an IP address but opening a browser shows "connection timed out" — no portal appears	Layer 3 Web Policy not enabled on the WLAN, Preauthentication ACL field is empty, or the client is using an HTTPS-only URL where the browser's HSTS blocks the redirect before it can happen	Verify WLANs → [WLAN] → Security → Layer 3 has Web Policy enabled and GUEST-REDIRECT-ACL selected. Test with a plain HTTP URL — use http://neverssl.com which is designed for captive portal testing. Confirm the Virtual Interface is set at Controller → Interfaces → Virtual
Guest client does not receive a DHCP address	Client associates with the SSID but shows 169.254.x.x (APIPA) or no IP	VLAN 100 is not on the switch trunk to the WLC, DHCP scope is exhausted, or the Primary DHCP Server in the WLC guest interface points to the wrong IP	Check `show interfaces trunk` on the switch — confirm VLAN 100 is in the allowed list. Check `show ip dhcp binding` and `show ip dhcp pool GUEST-POOL`. Verify the Primary DHCP Server field in the WLC guest interface is 192.168.100.1. See DHCP Server Configuration
Login credentials rejected	Client reaches the portal but "Invalid username or password" appears after submitting	Local Net User account is expired, account is scoped to a different WLAN ID, or RADIUS is configured but unreachable causing the WLC to fall through to local users where the account does not exist	Check Security → Local Net Users — confirm account exists, Lifetime has not expired, and WLAN ID is 2. If using RADIUS, run `ping [RADIUS-IP]` from the WLC CLI to verify reachability, then check the RADIUS server auth log for a reject reason. See AAA RADIUS Configuration
Authenticated guests can access the corporate LAN	After successful login, a guest can ping or reach 10.0.0.x internal hosts	No Layer 3 ACL or firewall rule blocks traffic from VLAN 100 (192.168.100.0/24) to the corporate LAN (10.0.0.0/24) — VLAN separation at Layer 2 alone does not prevent routing between VLANs on a multilayer switch	Add an ACL or firewall rule on the Layer 3 boundary device: `deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255`. See Applying ACLs and Firewall Concepts
Portal page shows SSL certificate warning	Browser displays "Your connection is not private" before showing the login page	The WLC uses a self-signed certificate for its internal HTTPS server — modern browsers flag self-signed certs from unknown CAs as untrusted	For labs: instruct users to click "Advanced" and proceed. For production: install a CA-signed certificate on the WLC at Security → Web Auth Certificate, or use External WebAuth with ISE which can present a properly signed certificate
Guest WLAN shows "Disabled" in WLC GUI	`show wlan summary` shows the guest WLAN status as Disabled	WLAN Status checkbox was not enabled on the General tab, or the guest-vlan100 dynamic interface is not up because VLAN 100 is not on the trunk	Go to WLANs → [WLAN] → General and enable the Status checkbox. Verify the guest-vlan100 interface is up at Controller → Interfaces. Confirm at least one AP is associated under Wireless → Access Points. See WLC Getting Started

Key Points & Exam Tips

Guest WebAuth requires four components: a dedicated guest VLAN isolated from the corporate LAN, an open SSID mapped to that VLAN, a redirect ACL that permits DNS and portal HTTPS but denies everything else, and a Layer 3 Web Policy on the WLAN referencing the redirect ACL.
The redirect ACL logic is inverted compared to a standard firewall ACL. Traffic that is denied by the ACL is what the WLC redirects to the captive portal. Traffic that is permitted (DNS, portal HTTPS) passes through without redirection. Permitting HTTP/HTTPS in the ACL would give guests full internet access without ever seeing the portal.
The WLC Virtual Interface (conventionally 1.1.1.1) is the redirect target IP. It must be a non-routable address that no other network device owns — the WLC intercepts all requests to this IP internally and serves the login page. Set it at Controller → Interfaces → Virtual.
Guest clients have two states: WebAuth Reqd (associated, DHCP address assigned, redirect ACL active, no internet) and Associated/RUN (authenticated, redirect ACL removed, internet permitted). These states are visible in Monitor → Clients and via show client summary.
VLAN isolation must be enforced at Layer 3 — placing guests in VLAN 100 prevents Layer 2 communication with VLAN 10 but does not stop Layer 3 routing between the two. A firewall rule or ACL on the gateway must explicitly deny VLAN 100 from reaching the corporate subnet.
Web Policy: Authentication requires username/password at the portal. Passthrough shows a splash page with a single Accept button and no credentials — the "coffee shop" model. Both use the same redirect ACL mechanism; only the portal page content and credential requirement differ.
Local Net Users scoped to a specific WLAN ID and given a Lifetime expire automatically after the configured duration. For scale (100+ daily guests), use Cisco ISE with a Guest Portal for automated account management — local WLC users do not scale.
Always test the captive portal with a plain HTTP URL such as http://neverssl.com — HTTPS URLs with HSTS headers may not redirect in modern browsers because the browser enforces HTTPS before the WLC can inject the redirect.
On the exam: know the three WebAuth client states, the inverted deny-triggers-redirect logic of the redirect ACL, the role of the Virtual Interface, the difference between Authentication and Passthrough portal types, and how to read show client summary output.

Next Steps: For port-based authentication on wired switches, see 802.1X Port-Based Authentication. For RADIUS-backed credential validation behind the WebAuth portal, see AAA RADIUS Configuration and AAA TACACS+ Configuration. For WLC management access hardening, see Login Security & Brute-Force Protection. For understanding wireless frequencies and channel planning that supports the guest SSID, see Frequency & Channels. For RF channel and power planning on the WLC, see Wireless RF Channel & Power Planning. For FlexConnect branch deployments where the guest portal must work without a live WLC connection, see FlexConnect AP Configuration.

TEST WHAT YOU LEARNED

1. In a Cisco WLC WebAuth deployment, what is the purpose of the Virtual Interface IP address (e.g., 1.1.1.1), and why must it be a non-routable address?

A. The Virtual Interface is the default gateway assigned to guest clients — it must be non-routable so guests cannot reach the corporate LAN B. The Virtual Interface is the WLC's redirect target. When a guest's HTTP request is intercepted, the WLC sends the browser an HTTP 302 to https://1.1.1.1:8443/login.html. The WLC intercepts this internally and serves the portal page. It must be non-routable so no other network device owns that IP — if 1.1.1.1 were a real device, the redirect would be forwarded there instead of being served by the WLC C. The Virtual Interface is used for AP CAPWAP join — APs connect to the WLC using the Virtual IP as the tunnel destination D. The Virtual Interface is a redundancy VIP shared between two WLCs in an HA pair — similar to HSRP, it ensures clients connect regardless of which WLC is active

Correct answer is B. The WLC Virtual Interface serves one purpose: it is the IP the WLC redirects guest browsers to when their HTTP traffic is intercepted by the WebAuth engine. When a guest opens http://example.com, the WLC sends an HTTP 302 to https://1.1.1.1:8443/login.html. The WLC itself intercepts this request — it knows 1.1.1.1 is its own virtual IP — and serves the login page. The packet never actually leaves the WLC toward 1.1.1.1. If 1.1.1.1 were a real routable address on the network, routers might forward the redirected request to that real device instead of the WLC, breaking the portal. The Virtual Interface IP (configured at Controller → Interfaces → Virtual) must be something that does not exist anywhere else in the network.

2. A guest client connects to NetsTuts-Guest, gets an IP address (192.168.100.15), but opening a browser shows "Connection timed out" — no portal appears. What is the most likely cause?

A. The guest VLAN is not configured on the switch — the client has no default gateway B. The RADIUS server is unreachable — the WLC cannot authenticate the redirect without RADIUS C. The session timeout is too low — the client is being de-authenticated before the portal loads D. The Layer 3 Web Policy is not enabled on the WLAN, or the Preauthentication ACL field is empty — without these, the WLC does not intercept HTTP traffic and no redirect fires. The deny rule in the ACL drops all HTTP traffic, causing the browser timeout. Verify WLANs → Security → Layer 3 has Web Policy enabled and GUEST-REDIRECT-ACL selected. Also test with a plain HTTP URL rather than HTTPS

Correct answer is D. The client already has an IP (192.168.100.15), which rules out VLAN/DHCP problems (option A). The symptom — timeout instead of redirect — means the WLC is not intercepting the HTTP request and redirecting it. Two things must both be configured: (1) Layer 3 Web Policy must be enabled (the checkbox on Security → Layer 3 tab), and (2) the Preauthentication ACL must reference GUEST-REDIRECT-ACL. Without the Web Policy enabled, there is no WebAuth interception regardless of the ACL. Without the ACL, there is no redirect trigger. RADIUS is not needed for internal WebAuth with local users (option B). Session timeout only applies to authenticated clients, not pre-auth clients (option C). Always test with a plain HTTP URL — HTTPS URLs with HSTS may not redirect in modern browsers.

3. Why does the preauthentication redirect ACL use "Deny" in rule 5 for all traffic, when a deny in a standard ACL means "block"?

A. In WLC WebAuth redirect ACLs, denied traffic is what the WLC's WebAuth engine intercepts and redirects to the captive portal — the deny action triggers the redirect rather than silently dropping the packet. Permitted traffic (DNS, portal HTTPS) passes through without any interception. If HTTP/HTTPS were permitted instead, traffic would pass freely and the portal would never appear B. The deny in rule 5 permanently blocks all traffic except DNS before authentication — clients can only perform DNS lookups in the pre-auth state C. The WLC uses the deny entries for deep packet inspection — it analyses denied packets and individually decides to redirect or drop them based on the protocol field D. The deny action in WLC ACLs only affects IPv6 traffic — IPv4 HTTP/HTTPS is permitted by default and always redirects regardless of the ACL

Correct answer is A. This is the most counterintuitive aspect of WLC WebAuth redirect ACLs. The WLC WebAuth engine specifically watches for traffic that is denied by the preauthentication ACL. When it sees a denied HTTP or HTTPS packet, it intercepts it and sends the client an HTTP 302 redirect to the portal URL — rather than dropping the packet silently. Traffic that is permitted passes through the WLC normally with no interception. DNS is permitted so clients can resolve hostnames; portal HTTPS (to the virtual IP) is permitted so the login page loads after the redirect. If you set rule 5 to Permit instead of Deny, HTTP/HTTPS traffic would flow freely through the WLC — the guest would have full internet access without ever seeing the portal. This inverted logic is specific to WLC redirect ACLs and does not apply to interface ACLs on routers or switches.

4. After a guest successfully logs in through the WebAuth portal, the client can browse the internet but can also ping 10.0.0.5 on the corporate LAN. What is the misconfiguration?

A. The redirect ACL is still active post-authentication — remove it to stop the corporate LAN traffic being permitted B. The guest was assigned a 10.0.0.x IP instead of 192.168.100.x — the DHCP scope is misconfigured C. There is no ACL or firewall rule blocking Layer 3 routing from VLAN 100 (192.168.100.0/24) to the corporate LAN (10.0.0.0/24). VLAN separation at Layer 2 only prevents broadcast domain overlap — it does not stop a multilayer switch or router from routing between VLANs. An explicit deny rule on the Layer 3 boundary is required to block guest-to-corporate traffic D. The guest WLAN is in central switching mode — change it to local switching to enforce traffic isolation at the AP

Correct answer is C. VLAN separation at Layer 2 ensures guest and corporate traffic do not share a broadcast domain. However, if a Layer 3 device (multilayer switch or router/firewall) has SVIs or interfaces in both VLAN 100 (192.168.100.1) and VLAN 10 (10.0.0.1) with routes to both, it will happily route traffic between them unless explicitly told not to. A guest client sends traffic to its gateway (192.168.100.1), which routes it into VLAN 10 toward 10.0.0.5. The fix is a deny ACL entry or firewall policy on the Layer 3 boundary: deny IP 192.168.100.0/24 to 10.0.0.0/24. The redirect ACL is a pre-authentication mechanism only — it has no role in post-auth traffic isolation. The problem existed before and after WebAuth; it is purely a routing/firewall configuration gap.

5. A guest's browser shows a certificate error before the captive portal login page appears. What causes this and what is the correct long-term fix for a production deployment?

A. The Virtual Interface IP (1.1.1.1) is publicly owned — change it to 192.0.2.1 to resolve the certificate CN mismatch B. The guest VLAN has no internet route so the browser cannot download the certificate revocation list (CRL) to validate the WLC cert C. The WLC management IP must match the certificate's Common Name — update the management interface to match D. The WLC uses a self-signed certificate for its internal HTTPS server by default — browsers flag self-signed certificates from unknown CAs as untrusted. For labs, users click "Advanced" and proceed. For production, install a CA-signed certificate on the WLC at Security → Web Auth Certificate so browsers trust the portal without a warning, or use External WebAuth with ISE which can present a properly signed, trusted certificate

Correct answer is D. The WLC generates its own self-signed TLS certificate for the internal HTTPS portal server. This certificate is not signed by any Certificate Authority in browsers' built-in trust stores (like DigiCert, Let's Encrypt, or a corporate CA). When the browser connects to https://1.1.1.1:8443, it checks the certificate, finds it untrusted, and displays a security warning. In a lab this is fine — users click Advanced and proceed. In a production guest network, the warning looks alarming and many users will refuse to continue, especially on corporate-managed devices with strict browser policies. The production fix is to upload a CA-signed certificate to the WLC. For a fully branded and trusted portal, External WebAuth with Cisco ISE gives you proper certificate management, full HTML/CSS customisation, and advanced guest management workflows in a single platform.

6. What is the functional difference between Web Policy "Authentication" and "Passthrough" on the Cisco WLC guest WLAN?

A. Authentication uses 802.1X EAP supplicant authentication; Passthrough uses a pre-shared key typed into the splash page B. Authentication requires the guest to enter a username and password at the portal, validated against the WLC's local user database or a RADIUS server. Passthrough shows a splash/terms-of-use page with a single Accept button — no credentials required. The client clicks Accept and gets internet access. Passthrough is the "coffee shop" model; Authentication adds identity accountability C. Authentication redirects HTTP traffic only; Passthrough redirects both HTTP and HTTPS to the portal D. Authentication applies post-auth ACLs from RADIUS; Passthrough applies the same ACL to all clients regardless of identity

Correct answer is B. The portal type controls what happens when the guest arrives at the captive portal page — not how the redirect works. With Authentication, the portal presents a username/password form. The WLC (or RADIUS server) validates the credentials, and only matching accounts gain access. With Passthrough, the portal shows customisable text (a terms-of-use statement, organisation branding) and a single button. Clicking the button is sufficient — no identity verification occurs. Both types use the same redirect ACL mechanism; the difference is purely in what the portal requires from the user. Passthrough gives you MAC address logging (you can see who connected and when) without the friction of credential management. Authentication gives you stronger accountability — you know exactly who (visitor1, visitor2) was online and when. Neither type involves 802.1X EAP, which is a completely separate authentication framework for wired and wireless port security.

7. Which two ACL entries are non-negotiable in the preauthentication redirect ACL for WebAuth to function correctly end-to-end?

A. Permit ICMP (so the client can ping the gateway) and deny all TCP B. Permit HTTP (port 80) and deny HTTPS (port 443) C. Permit DNS (UDP/53) — without DNS the client cannot resolve any hostname and will never send the HTTP request that triggers the redirect. Permit HTTPS to the WLC Virtual IP on port 8443 — without this the browser cannot load the portal login page itself (the redirect destination is HTTPS and would be blocked by the deny-all rule) D. Permit ARP and permit DHCP (UDP/67-68) — without these the client cannot join the network

Correct answer is C. These two permits make the redirect mechanism work end-to-end. DNS permit: when the guest types any URL (http://example.com), the browser first performs a DNS lookup for example.com. Without the DNS permit, this lookup is denied — the browser gets a DNS resolution failure and never sends the HTTP GET that the WLC needs to intercept. No HTTP request = no redirect = portal never appears. HTTPS permit to Virtual IP port 8443: the WLC redirects the guest browser to https://1.1.1.1:8443/login.html. If the redirect ACL also denies HTTPS to 1.1.1.1, the browser sends the request but the ACL blocks it before it reaches the WLC's portal server — the portal page never loads. Both entries are essential. ARP and DHCP (option D) operate below the IP ACL level — WLC ACLs do not filter Layer 2 ARP frames, and DHCP typically completes before WebAuth is evaluated.

8. The organisation has 150–200 guest visitors per day and the administrator has been manually creating WLC Local Net Users for each. What is the scalability problem and the recommended solution?

A. WLC Local Net Users require manual creation, credential distribution, and cleanup for each visitor — at 200 accounts per day this becomes operationally unmanageable. The recommended solution is Cisco ISE with a Guest Portal, which automates self-registration, sponsor-approval workflows, time-limited account creation, and automatic expiry at scale without any manual WLC account management B. WLC local accounts slow down DHCP responses as the user database grows — the fix is to increase the DHCP scope size and reduce the lease time to recycle addresses faster C. Local Net Users cannot be used with WebAuth — they only work with 802.1X EAP. Switch to a pre-shared key WLAN for guest access D. Local Net Users are stored in running config only — use Save Configuration frequently to prevent losing all guest accounts on a WLC reboot

Correct answer is A. WLC Local Net Users are designed for small-scale or lab deployments — a few accounts for a small office. At 150–200 guests per day, an administrator would need to create accounts daily, distribute credentials individually (email, printed card, front-desk staff), and manage expiry and cleanup — this is not sustainable. Cisco ISE solves this with a purpose-built Guest Lifecycle Management module: guests can self-register via a web portal (optionally requiring sponsor approval before getting credentials), sponsors can create time-limited credentials via the ISE Sponsor Portal without needing WLC access, accounts expire automatically, and usage is logged for compliance. The WLC WebAuth configuration is identical — only the AAA server in the WLAN Security → AAA Servers tab changes from local to the ISE RADIUS server IP. See AAA RADIUS Configuration.

9. `show client summary` on the WLC CLI shows a guest client with status WebAuth Reqd even after the user claims to have submitted the login form correctly. What should be checked first?

A. The client's 802.11 association is unstable — the client keeps re-associating and resetting WebAuth state B. The DHCP lease has expired — the client needs a new IP before WebAuth can complete C. The WLC software version does not support WebAuth for the client's 802.11 protocol D. Credential validation failed silently — check Security → Local Net Users to confirm the account exists, has not expired, and is scoped to WLAN ID 2. If RADIUS is configured, check RADIUS reachability from the WLC CLI and review the RADIUS server's authentication log for a reject reason. The WLC keeps reporting WebAuth Reqd for any authentication failure — a form submission with wrong credentials or an expired account leaves the client in this state with the portal redisplaying the form

Correct answer is D. The status WebAuth Reqd persists until the WLC receives a successful authentication — it does not advance to Associated/RUN until credentials are validated and accepted. If the user submits the form and the password is wrong, the account is expired (Lifetime elapsed), the account is scoped to a different WLAN ID, or a RADIUS server rejects the credentials, the WLC redisplays the login form with an error and the client status remains WebAuth Reqd. The systematic check is: (1) Find the exact username in Security → Local Net Users — does it exist? Has the Lifetime expired? (2) Verify the WLAN ID on the account matches WLAN 2. (3) If using RADIUS, run ping [RADIUS-IP] from the WLC CLI to confirm reachability, then check the RADIUS server's authentication log for the specific reason code (wrong password, account not found, authorisation policy mismatch).

10. A new branch needs a guest WLAN where visitors accept a terms-of-use page with a single button click — no username or password required — and are given internet access immediately. Which WLC settings achieve this?

A. Layer 2 Security: WPA2-PSK with a shared guest password; Layer 3: Web Policy Authentication — PSK handles Layer 2, the portal provides the terms click-through B. Layer 2 Security: WPA2-Enterprise (802.1X); Layer 3: Web Policy Passthrough — 802.1X handles identity; the portal provides the terms acknowledgement C. Layer 2 Security: None (open SSID — no WPA key required to associate); Layer 3: Web Policy — Passthrough. Passthrough displays a splash/terms page with a single Accept button and requires no username or password. Clients connect without a key, see the portal, click Accept, and receive internet access D. Layer 2 Security: None; Layer 3: Web Policy Authentication with no AAA server configured — the WLC defaults to click-through mode when no authentication backend is available

Correct answer is C. The scenario describes a classic click-through captive portal — no credentials, just terms acceptance. This is exactly what the WLC's Passthrough Web Policy provides. Layer 2 Security must be None (open SSID) so visitors can associate without knowing a WPA passphrase — a PSK would require distributing the key, which undermines the open guest model. Layer 3 Web Policy set to Passthrough presents a customisable splash page with an Accept button. Clicking Accept is the only requirement. No AAA server is needed. The preauthentication redirect ACL is still required to trigger the browser redirect to the splash page. Option D is incorrect — Web Policy Authentication always requires valid credentials. There is no automatic fallback to click-through mode when no AAA server is configured; in that state, authentication simply always fails and no guests get access.

Back to Home