Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
3
Replies

Simple wireless network w/SSL on WLC 3504

Go to solution
netadmin@medcompnet.com
Level 1
Level 1

‎11-27-2019 02:10 PM - edited ‎07-05-2021 11:21 AM

I am trying to set up a very basic network on a WLC 3504. I want it to use web auth with a SSL

certificate signed by a 3rd party CA. The cable plugs in to port 2 on the WLC and goes out to the Internet using a dedicated port on the CPE on VLAN 11. This port is 192.168.111.1 and interface uses 192.168.111.2. DHCP should Hand out 192.168.111.20-200. Clients should be isolated from each other and should not be able to access lan subnets outside of the 192.168.111.0/24 range. The problem I have been running into is that the SSL name (I’ll say contosowireless.contoso.com) fails DNS queries. We did a packet capture and found that the dns server was not responding to queries. My theory is that the dns Server is on the LAN and packets are not passing through prior to the webauth completing. I’ve been working with support and they have me defining VLANS and routes and in 6 different pieces of equipment. There has to be a simpler way to configure this- any suggestions?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
netadmin@medcompnet.com
Level 1
Level 1
In response to netadmin@medcompnet.com

‎12-07-2019 07:37 AM

Thanks everyone for the help. I ended up solving this on my own, and here is how:
Since the connection is isolated directly out to the Internet, the client needed to ask a public DNS server where to get the webauth page. So I added a record to my public DNS to associate the CN on the certificate to the IP of the WLC’s virtual controller. The client looks for webauth on the virtual IP by name, dns supplies the IP and because the AP is internal to the firewall, the client receives the webauth page from the WLC and login proceeds correctly.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Haydn Andrews
VIP Alumni
VIP Alumni

‎11-27-2019 02:51 PM

Allow DNS in your pre-auth ACL

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

Go to solution
netadmin@medcompnet.com
Level 1
Level 1
In response to Haydn Andrews

‎11-30-2019 08:46 PM

Thanks for the advice! Tried this and now I can connect... but it skips the web auth login page... my WLC is properly handing out the 192.168.111.0/24 addresses to the clients that connect to the SSID, and I have Internet access from the SSID. I’ve uploaded my preauth acl which should only allow DNS to and from the server at 192.168.3.2. Any idea what I need to change?

Preview file
6302 KB
0 Helpful

Go to solution
netadmin@medcompnet.com
Level 1
Level 1
In response to netadmin@medcompnet.com

‎12-07-2019 07:37 AM

Thanks everyone for the help. I ended up solving this on my own, and here is how:
Since the connection is isolated directly out to the Internet, the client needed to ask a public DNS server where to get the webauth page. So I added a record to my public DNS to associate the CN on the certificate to the IP of the WLC’s virtual controller. The client looks for webauth on the virtual IP by name, dns supplies the IP and because the AP is internal to the firewall, the client receives the webauth page from the WLC and login proceeds correctly.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card