Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2128
Views
0
Helpful
10
Replies

WebAuth Cert signed by CA on WLC

Go to solution
Philip91
Level 1
Level 1

‎12-18-2012 05:37 AM - edited ‎07-03-2021 11:14 PM

Hello guys,

i have some Problems with IOS6 Device when using the WebAuth on WLC.

I think that the Problem is that i have an self signed Cert on the WebAuth of the WLCs which is untrustworthy for the Safari.

So i think the only solution is to install an Cert which is signed by an Root CA.

i had found this instruction how to generate an Cert Request for the WLC

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

Regarding that i have some question:

Have anyone the same Problems generally with Untrusted Certs on IOS 6?

When i have 2 WLCs can i use the same certificat for both WLC ( Virtual IP and DNS Name is the same)?

Did anyone did that with a 5508 respectively 4400 Controller?

Thanks

Greetings Philip

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Philip91

‎12-18-2012 05:50 AM

Exactly. You are getting this accept cert becuase the controller cert being presented to the device browser doesnt have the wlc cert in its trusted store.

Yea, you would need to purchase a signed CA to over come this .. If you go this route I blogged this step by step process from CSR to install.  It might help ...

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful
10 Replies 10

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎12-18-2012 05:41 AM

Hi Phil,

Who signed your cert? Is the CA in the devices chain? As for your cert question, yes you can use the same cert just make sure the name you use it what you put in both controllers. Yes, I did this with a 4404 and 5508. I moved the cert from the 4400 to the 5508s.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Philip91
Level 1
Level 1
In response to George Stefanick

‎12-18-2012 05:46 AM

atm is an cert locally self signed by the Controller. I think thats the reason why i get the untrustworthy error.

I think the only possibility that i have an cert which is in the certstorage of every browser is to buy an cert from an offical CA right ?

Or how did you do that ? Did you just do that for the Device which use a cert from your internal CA ?

Thanks for fast response

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Philip91

‎12-18-2012 05:50 AM

Exactly. You are getting this accept cert becuase the controller cert being presented to the device browser doesnt have the wlc cert in its trusted store.

Yea, you would need to purchase a signed CA to over come this .. If you go this route I blogged this step by step process from CSR to install.  It might help ...

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Philip91
Level 1
Level 1
In response to George Stefanick

‎12-18-2012 06:21 AM

Another question is regarding the DNS Name.

When i will use the same Cert for 2 or 3 WLCs then i have to give all of them the same DNS Name right ?

So do i have to make an DNS entry for that DNS Name with three different IPs ?

--> DNS Roundrobin

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to Philip91

‎12-18-2012 06:25 AM

No, every WLC in the mobility group needs to have the same Virutal IP address.  The DNS name for the webauth certificate is configured under the Virutal IP.  So having three WLC with the same certificate and name is not an issue. And you'll only need the one A-record.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Philip91

‎12-18-2012 06:28 AM

As Steve mentioned. One DNS name and one A record. Then you need to publish this A record to the inside DNS or to the outside. if you publish to the inside that means users will need access to the inside DNS to reslove. Or you can publish to the outside so DNS servers like google 8.8.8.8 can resolve.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Saravanan Lakshmanan
Cisco Employee
Cisco Employee
In response to Philip91

‎12-18-2012 09:19 AM

Hope you've got the cert issued to fqdn and not to an ip.

If Cert is tied to fqdn and not to an ip address, typically you can use this cert whereever you got the same fqdn were the cert is issued for.

0 Helpful

Go to solution
Philip91
Level 1
Level 1
In response to Saravanan Lakshmanan

‎12-19-2012 12:24 AM

Still i haven´t requested the cert but i will do that in the begin of next year so i needed the information what i have to do.

Very very thanks to all for the fast and very good answers !!!

Philip

0 Helpful

Go to solution
Philip91
Level 1
Level 1
In response to Philip91

‎12-19-2012 01:26 AM

i have another question:

Does any have tested this with a wildcard certificate ?

0 Helpful

Go to solution
Ashley Pilbeam
Level 1
Level 1
In response to Philip91

‎11-15-2013 12:55 AM

Philip,

I'm currently using a Wildcard cert on my WLC (WiSM 2), it's working fine for Windows machines but I think I need to install the CA Cert seperately in order to get it working for Android/iPhone

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card