topic Looking at the document, I in Wireless

Your connection 1.1.1.1 is not private

kdgattis — Mon, 05 Jul 2021 09:30:08 GMT

I have a cisco controller 2504. We have guest internet plug into port 2 of the controller. I have layer 3 web authentication set up in which guest see a web site and type a user name and password to get on the guest wireless internet. However, when I connect I get this every time, "Your connection is not private 1.1.1.1, NET:ERR_CERT_AUTHORITY INVLAID, This server could not prove that it is 1.1.1.1; its security certificate is not trusted by your computer operating system. I'm unsure on setting up certificates, but I do see one on the controller as 1.1.1.1. If I export it to my computer and install as a trusted certificate then it works, but how do I get the guest pc's to trust this controller. Do I need a public certificate?

if you want the guest to not

Stephen Rodriguez — Fri, 13 Feb 2015 15:37:11 GMT

if you want the guest to not get that cert warning, then you would want to get a certificate from a well known provider.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html

When you do this, you also need to make sure that the DNS server you give to the guests can resolve the Virtual interface IP/name to the name that you put in the certificate.

HTH,

Steve

Looking at the document, I

kdgattis — Fri, 13 Feb 2015 15:50:01 GMT

Looking at the document, I see something called OpenSSL. Do I get a certificate from that website or could you recommend a well known provider. Not much experience with certificates. Just started about 6 months ago on the guest wireless. We have had wireless for the employees for years but guest is new.

openSSl is just a program to

Stephen Rodriguez — Fri, 13 Feb 2015 15:55:52 GMT

openSSl is just a program to let you build the request and combine the files you get back from the provider.

for well known, Thawte, Verisign, GoDaddy...

HTH,

Steve

Its a bit involved .. Create

George Stefanick — Fri, 13 Feb 2015 15:59:48 GMT

Its a bit involved ..

Create CSR

Get CSR signed

Bind the CSR to private pem

Upload to the controller

Make sure the cert name resolve to 1.1.1.1 (virtual ip address on WLC).

Add A record like guest.yourdomain.com to resolve to 1.1.1.1

I do this for customers all the time.. ping dcmc.guestnetwork.org

Another newbie question, Why

kdgattis — Fri, 13 Feb 2015 16:15:10 GMT

Another newbie question, Why do I have to have a certificate for this to work? I guest I'm not understanding the certificate. For example, at my house the internet comes in, I have it plugged into a wireless router don't need one to connect to the internet. At our facility the internet comes in, plug into a cisco RSV I think, then plug into port 2 on the controller. The web address it redirects them to is our web page www.autumncorp.com in which is provided by BizCom. Wouldn't the cisco controller basic certificate I see under Web Auth, certificate locally generated be trusted, since it's from cisco. I thought certificate were for a business which house their own web servers. Sorry for some many questions, trying to understand when I need a certificate and when I don't.

Can I generate CSR on my

kdgattis — Fri, 13 Feb 2015 16:49:08 GMT

Can I generate CSR on my windows 2008 CA server, or does it have to be public from a third party?

No since your guest won't

George Stefanick — Fri, 13 Feb 2015 16:51:42 GMT

No since your guest won't have your root. You need to have a pubic ..

Ok, another newbie question.

kdgattis — Fri, 13 Feb 2015 17:03:02 GMT

Ok, another newbie question. Do I have already a certificate from our website "www.autumncorp.com" from BizCom. Since BizCom houses our website wouldn't that be trusted. I'm I looking at this wrong.

Who signs your public certs ?

George Stefanick — Fri, 13 Feb 2015 18:00:48 GMT

Who signs your public certs ? Bizcom sound like a web hosting company.. They don't sign certs.

You would create a CSR in openssl and fill out the cert info. The common name you could use guest.autumncorp.com.

Nobody signs public certs. I

kdgattis — Fri, 13 Feb 2015 19:07:18 GMT

Nobody signs public certs. I have a CA on our active directory server. I guess so far we haven't needed one until now. Bizcom is a web hosting and email company.

Yea, so whoever manages you

George Stefanick — Fri, 13 Feb 2015 19:20:35 GMT

Yea, so whoever manages you domain or maybe even the web host can get you a signed cert. Like for me I own guestnetwork,org. I go through godaddy .. I provide them my CSR and they burn me the cert tied to my domain.

This is why I created guestnetwork.org I handle this entire process for customers; csr,cert,A record etc ... It can be a pain for some folks.

Make sense?

autumncorp.com is our domain

kdgattis — Fri, 13 Feb 2015 19:48:21 GMT

autumncorp.com is our domain name and BizCom manages it. Do I need to get up with them to get a certificate for our domain and install that certificate on my controller. Another question, if I redirect them to another web site like www.google.com would that bypass the certificate error. Also, how many certificates do I need? Just one, or one for each guest logging in. Not seeing this message on phones or ipads just computers.

You create the CSR in open

George Stefanick — Fri, 13 Feb 2015 19:52:48 GMT

You create the CSR in open SSL. You give your CA the CSR and they will burn you the cert.

Then you take the root, chain, device certs then bind it to the pem in open ssl.

Once that is done then you upload to the controller.

Make sure you use a version of openssl lower than 1.0v.

If you want a guest page then you need the cert. Redirects happen AFTER the page pop up.

You only need one and you can put on your different controllers.

Are you anchoring ?

Delete the SSID from your iPad and try it again. Looks like you may have accepted the cert the first time.

Thanks, alot for all your

kdgattis — Fri, 13 Feb 2015 20:43:22 GMT

Thanks, alot for all your help. If I only need one certificate for all my controllers how much does a certificate usually cost?

No worries.. Certs you buy in

George Stefanick — Fri, 13 Feb 2015 20:55:13 GMT

No worries.. Certs you buy in time .. Like one year is $75 or cheaper .. depends which CA you use to sign.

Feel free to support the rating system if any of this is helpful!