02-22-2013 01:42 AM - edited 03-10-2019 08:07 PM
Hi guys,
Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
1. Guests try to connect wifi with SSID Guest
2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
)
4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
5. After that the Guest Login Page will appear, and guests input their username and password.
6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
I know it happened when guests didn't have the WLC Login Page Certificate...
My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
Thx 4 your answer and sorry for my bad English....
Solved! Go to Solution.
02-27-2013 12:50 AM
Don't mix WLC Local Web Authentication with ISE Guest Portal. Choose either one or the other. I would suggest Guest Portal + WLC CWA.
02-27-2013 12:50 AM
Don't mix WLC Local Web Authentication with ISE Guest Portal. Choose either one or the other. I would suggest Guest Portal + WLC CWA.
02-27-2013 01:57 AM
Thx for your reply Peter, your solution is right,
i don't choose CWA, because their DNS is not stable...
i've found the problem...
the third-party CA is revoked, so there is no way it will success until it fixed...
and there is no guarantee, they will fix it soon..
so solution that we choose is by disable "HTTPS" on WLC...
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable"
thank you all...
03-01-2013 08:49 AM
I would recommend that you get yourself a new certificate instead of disabling HTTPS. You can get a new public cert pretty cheap from godaddy, etc. That way your credentials are not passed unprotected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide