12-18-2012 05:37 AM - edited 07-03-2021 11:14 PM
Hello guys,
i have some Problems with IOS6 Device when using the WebAuth on WLC.
I think that the Problem is that i have an self signed Cert on the WebAuth of the WLCs which is untrustworthy for the Safari.
So i think the only solution is to install an Cert which is signed by an Root CA.
i had found this instruction how to generate an Cert Request for the WLC
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
Regarding that i have some question:
Have anyone the same Problems generally with Untrusted Certs on IOS 6?
When i have 2 WLCs can i use the same certificat for both WLC ( Virtual IP and DNS Name is the same)?
Did anyone did that with a 5508 respectively 4400 Controller?
Thanks
Greetings Philip
Solved! Go to Solution.
12-18-2012 05:50 AM
Exactly. You are getting this accept cert becuase the controller cert being presented to the device browser doesnt have the wlc cert in its trusted store.
Yea, you would need to purchase a signed CA to over come this .. If you go this route I blogged this step by step process from CSR to install. It might help ...
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
12-18-2012 05:41 AM
Hi Phil,
Who signed your cert? Is the CA in the devices chain? As for your cert question, yes you can use the same cert just make sure the name you use it what you put in both controllers. Yes, I did this with a 4404 and 5508. I moved the cert from the 4400 to the 5508s.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
12-18-2012 05:46 AM
atm is an cert locally self signed by the Controller. I think thats the reason why i get the untrustworthy error.
I think the only possibility that i have an cert which is in the certstorage of every browser is to buy an cert from an offical CA right ?
Or how did you do that ? Did you just do that for the Device which use a cert from your internal CA ?
Thanks for fast response
12-18-2012 05:50 AM
Exactly. You are getting this accept cert becuase the controller cert being presented to the device browser doesnt have the wlc cert in its trusted store.
Yea, you would need to purchase a signed CA to over come this .. If you go this route I blogged this step by step process from CSR to install. It might help ...
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
12-18-2012 06:21 AM
Another question is regarding the DNS Name.
When i will use the same Cert for 2 or 3 WLCs then i have to give all of them the same DNS Name right ?
So do i have to make an DNS entry for that DNS Name with three different IPs ?
--> DNS Roundrobin
12-18-2012 06:25 AM
No, every WLC in the mobility group needs to have the same Virutal IP address. The DNS name for the webauth certificate is configured under the Virutal IP. So having three WLC with the same certificate and name is not an issue. And you'll only need the one A-record.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
12-18-2012 06:28 AM
As Steve mentioned. One DNS name and one A record. Then you need to publish this A record to the inside DNS or to the outside. if you publish to the inside that means users
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
12-18-2012 09:19 AM
Hope you've got the cert issued to fqdn and not to an ip.
If Cert is tied to fqdn and not to an ip address, typically you can use this cert whereever you got the same fqdn were the cert is issued for.
12-19-2012 12:24 AM
Still i haven´t requested the cert but i will do that in the begin of next year so i needed the information what i have to do.
Very very thanks to all for the fast and very good answers !!!
Philip
12-19-2012 01:26 AM
i have another question:
Does any have tested this with a wildcard certificate ?
11-15-2013 12:55 AM
Philip,
I'm currently using a Wildcard cert on my WLC (WiSM 2), it's working fine for Windows machines but I think I need to install the CA Cert seperately in order to get it working for Android/iPhone
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: