05-06-2011 12:36 PM - edited 07-03-2021 08:09 PM
I have Web Authentication setup on my WLC and it is working fine. However the address bar shows the redirect to 1.1.1.1, now if I add the DNS name on the second line like "mywireless.mydomain.com" I see that redirect is trying to get to that name but times out because it can't resolve it.
So my question is if I want that to resolve I will need to change 1.1.1.1 to a public IP and then add a public DNS record correct?
05-06-2011 10:13 PM
what it means is that you need a local or private DNS havinng a host with the IP 1.1.1.1 mapped to whatever.yourdomain.com
1.1.1.1 is the virtual interface...
DNS should be accessible all the time..
DNS MUST have the an enntry with the virtual IP and name configured...
05-06-2011 10:35 PM
I think the concern is whether or not you can create a DNS entry pointing to an IP address that you do not own. This is actually a very common misconception.
It might be that some DNS servers won't let you do this, but it is more than likely that your DNS host for your domain will let you put whatever IP Address you want in any DNS entry you create.
As long as you point your web-auth users to a DNS server that can ultimately resolve your DNS entry for the Virtual Interface, you should be good to go.....
-Wesley Terry
05-09-2011 07:34 AM
Thank you for the last reply, it make sense but since the users will have no access to the internal DNS server I can't use the 1.1.1.1 IP. So in that
case what if I create an external DNS entry and give that virtual interface a valid IP address that is resolveable by external DNS servers?
Now if I do that I guess my next issue would be to only allow the wireless users to be able to access that page, I don't want any one from any where just be able to access it. So I can probably take care of it from the ACL on the firewall?
05-09-2011 07:54 AM
Why don't you have an External DNS resolve the name to 1.1.1.1? Thats the point I was trying to get across before, unless your external DNS has some wierd restriction on the IP addresses you can point to, you should be able to make an external DNS say: webauth.domain.com = 1.1.1.1
As for point #2, if you did put an external address, I don't think anything will be able to access it. This is a virtual interface with no point of ingress nor egress on the WLC. It is more or less a "hijack me if this IP is destination for wireless traffic" (for example, when you talk to 1.1.1.1, your packets are actually destined to the gateway since it is layer 3, but the WLC takes these packets and responds instead of forwarding to the DS/gateway)..
Anyhow... I suppose an ACL would be for safe measure just in case....
-Wesley Terry
05-09-2011 10:25 AM
I can do that but if I point the external DNS to 1.1.1.1 wouldn't that be illegal as we do not own that IP?
05-09-2011 11:28 AM
I don't know of it being Illegal or Legal, so you raise a valid concern.
With that said, a DNS is just like a shortcut type systerm, you aren't saying you OWN that IP address or anything....
Its not much different than setting up a blog or googlemail system where you point your domain name (or some specific record) to the IP of thier server....
I suppose they give you permission to do so, but the same concept applies.
I guess the question here is:
Does anyone know if it is Illegal to make a public DNS entry for an IP address that you do not own?
In otherwords, if I made an entry "dns.companyname.com", and I pointed DNS = 4.2.2.2, is that "illegal"? I don't think so, but I'm not an authority on the matter...
Sure would be nice if anyone else reading this had a valid opinion on what is not legal (like maybe a spec that says so).
-Wesley Terry
05-09-2011 02:53 PM
Thank you for your reply looks like I'm almost there lol. So I have the cert loaded, changed the Virtual interfaces IP address from 1.1.1.1 to a valid IP but now none of my AP's are joining the controller
05-09-2011 04:03 PM
Were the APs joining before?
If not, can you still manage the WLC?
I'm not sure what the validity is in assigning a real IP to the virtual interface, but I'm sure if its in anyway related to other IP addresses you have, it will probably mess everything up.
I know there was alot of talk about changing the best practice from 1.1.1.1 to some other IP space reserved for documentation or something, (not multicast, not part of your standard internal use 10,172,192 subnets, but not external-use either?)
What does everyone else use for thier Virtual IP?
05-09-2011 04:34 PM
I can still access the WLC, here is the problem:
- I am using the WLC as the DHCP server
- So when clients and AP's request an IP it comes on the management interface
- Management interface sends it to the virtual interface which is 1.1.1.1
- Now per Cisco that needs to be a non routable address such as 1.1.1.1
- So if I change the 1.1.1.1 IP to something else none of the clients can get an IP address
- If I leave it everything works other than the web authentication because clients can't resolve the domain name.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide