cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26866
Views
10
Helpful
1
Comments
leejohns
Cisco Employee
Cisco Employee

The reason you get the certificate security warning is b/c the WLCs have a self signed certificate that a client's browser will not know about. To deal with that warning, you have a few options:

1.  Leave it as is and let the users know that seeing that is OK

2.  Disable HTTPs on the controller - almost no one picks this b/c it is a global change so even admin logins will be unencrypted.

3.  Install a valid root or chained certificate on the controller from an Internet CA:

    a.  Use a root certificate from a CA like Entrust.  You would have the certificate issued for whatever DNS name you want to give the virtual interface IP address of the controller.  You will also need to have a host entry in the local DNS server for that same name and point to the address of the virtual interface.  Under the virtual interface configuration on the controller, you would enter the DNS hostname you set up in local DNS. It needs to be the FQDN.  YOU MUST REBOOT for that to take effect. 

If you do not wish for the guest users to have access to your internal DNS servers, you could have a Linux or other free DNS server on the guest network and have the guest clients use that for DNS.  All that server would require is the A record for the virtual interface and then have it point to your ISP or Internet DNS servers for everything else.

Certificate request procedure using root cert:

http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

    b.  Use a chained certificate. This is more work than using a root certificate b/c your final pem file must have all the intermediate certificates in it as well as the certificate issued to youOther than having multiple certs in the final file, the process is the same as using a root certificate.  Please note that only up to level 2 chained certs are supported:

Level 0 - use of only a server certificate on WLC

Level 1 - use of server certificate on WLC and a CA Root Certificate

Level 2 - use of server certificate on WLC, one single CA intermediate certificate and a CA Root Certificate.

Level 3 or higher is not supported

Level 3 - use of server certificate on WLC, two CA intermediate certificates and a CA Root Certificate.

CSR for chained certificate

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

It is important to take notice of the note concerning using OpenSSL v0.9.8.  If you use v1.x.x you will more than likely get private key decrypt errors when trying to load he final pem file on the WLC.

Also, if you have multiple guest WLCs, you can use the same certificate on all of them provided the virtual interface configurations are the same.

Comments
glenj
Community Member

Vista and Win7 use an automatic root-certificate update mechanism.  http://support.microsoft.com/kb/931125
If the user's browsing hasn't cached the root we use for webauth, they will get a cert warning -- even if the webauth cert is valid and signed by a trusted root cert.   Since roots are now downloaded -- as they are needed -- from windows update (see http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx), and windows update uses akamai:  allowing this new auto root update mechanism via an ACL pinhole appears to be impossible.   Our environment is BYOD.   Any ideas for solving this?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: