cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
583
Views
0
Helpful
9
Replies

WLC 5508 And Third Party SSL for Web Authenticaiton

habibalby
Level 1
Level 1

Hello,

We are using WLC 5508 and currently the authentication process is via Customized WebAuth. As you know that with the WebAuth the authentication process won't work unless you launch Web Browser and you will be redirected to the Authentication Page where you type your username and password. This is a bit fuzzy for most of the users and what I'm thinking is to use different authentication mechanism where the user will automatically be prompted upon connecting to any SSID. I have read that Public/Thrid Party certificate will do this and any client can accept the public certificate.

 

Anyone can elaborate on this approach?

Regards, 

9 Replies 9

Scott Fella
Hall of Fame
Hall of Fame
Using a 3rd party certificate is only good if you want to still utilize https on the WebAuth portal and you don't want to see the certificate error. In the later code v7.5 I believe if later, they added a feature to disable https for WebAuth. The use if a 3rd party cert helps if you want the URL to show up as the FQDN you entered when creating the CSR. You would need to create an A record in DNS to resolve the FQDN to the virtual IP address. In the virtual IP address, you define the FQDN you specified for the certificate. Scott
-Scott
*** Please rate helpful posts ***

habibalby
Level 1
Level 1
Is there away I can achieve SSID prompt authentication without ISE or radius?

I don't know what you mean.... The end user has to choose the SSID and then its up to the device if it automatically opens a browser so the user see's the portal page.  This is how it would be if you went to a coffee shop with free wifi that had a login or a portal page to accept the agreement before providing access.

Scott

-Scott
*** Please rate helpful posts ***

What I mean is...if you enable HotSpot on your mobile and setup security and connect to it using your laptop you will be promoted to put the security pass. Is this possible without Radius or ISE? Coffee shop another good example where the Browser automatically will be launched where in the current configuration it's not. Which confuse lots our students and staff and take huge amount of IT staff to attend that call and do the authentication process. How the Browser can be launched automatically? Thanks,

You don't control that. That is part if the device OS.

Scott

-Scott
*** Please rate helpful posts ***

So WLC is useless when it comes to authentication feature without additional devices... All of this complexity just to promote and sell other products such as NAP or ISE :)...

You need to understand what the devices need to do and what WLC's or radius servers can perform.  In a normal environment, you would only have one guest or portal page.  How would this be confusing to users??? It's like going to a coffee shop.  If they can't figure that out, them like they say.... User error. Guest is best effor to many organizations and they will not support that for users.  If you have devices that need I access the internal, then you need a radius server to lookup either machine (domain machine) or AD username and password. That is how things are typically deployed.

Scott

-Scott
*** Please rate helpful posts ***

Hi Scott, What I want to achieve is a Layer 2 authentication. I have posted this request before and tried it with MS Radius server, but the problem is this would work only if machines are joined to Domain. Where in my case I can't join them .. https://supportforums.cisco.com/comment/9595246#comment-9595246 Thanks,

With machines that are not part of the domain, typicall if you still want to secure them usin 802.1x, you would leverage a radius server and users would be told of the SSID to connect to and enter their AD credentials.  Of course, if you use AD credentials, users will now join all their other devices to that SSID. This is where ISE comes in and you can profile devices. Even though the WLC with v7.6 can profile, it's not a full fledge profiler.  Depending on how well you know radius, you can leverage a portal page also and depending on the AD group a user is a member of, you can out them is a specific Vlan or if you leverage interface groups.  You can do many things, but you need to really know radius and client types to figure out what can and work well in your environment. Radius alone to someone who hasn't played with it, can take days to setup without help. 

Every client I setup radius for is different and it comes down to how their users are setup in AD, what devices they have and the requirements. 

Scott

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: