Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14553
Views
15
Helpful
6
Replies

WebAuth: WLC Certificate 1.1.1.1 without DNS entry for virtual interface

Go to solution
sniff
Level 1
Level 1

‎03-18-2011 04:18 AM - edited ‎07-03-2021 07:58 PM

Hello,

someone wrote "CN= could not be an IP address".

Is it realy so?

Is the DNS entry (virtual interface) a "must" field to use with cerificates?

Is it possible to use the 1.1.1.1 ip address without DNS entry and use a certificate with CN=1.1.1.1?

Sven

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Betz
Cisco Employee
Cisco Employee
In response to sniff

‎03-19-2011 02:18 PM

Hi Sven,

I agree with George.  We do have many Customers that configure their Guest DHCP scope with a public DNS server, and then simply create a new DNS A Record on their externally-facing DNS server for the company's domain (ex. wifi.cisco.com).  Some public DNS servers will allow resolution to 1.1.1.1, and others will not.

You can always feel free to change your Virtual IP address to an acceptable IP (whether a private address, or owned by your organization).  Just be sure that this address is not routeable on your network (one of the requirements for the Virtual Interface).

You're exactly right.  Although disabling HTTPS on the WLC is a workaround, it will disable the Secure server globally, including Web Admin access.

Best,

Drew

View solution in original post

0 Helpful
6 Replies 6

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎03-18-2011 09:29 AM

Hello,

Yes, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.

1. Guest Client go to google.com

2. Client goes to DNS (the one its is assign in DHCP)

3. DNS resolves the DNS for google.com

4. Client then attempts to go to google.com

5. Controller intercepts GET and replaces it with a 1.1.1.1

6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)

7. DNS then gets resolve to the name (example guest.xxx.com)

8. Controller presents the guest screen ...

YADA YADA YADA ...

I hope this helps ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
sniff
Level 1
Level 1
In response to George Stefanick

‎03-18-2011 11:29 AM

Hello George,

the problem is, I have no DNS (worse: I must use a public DNS) and 1.1.1.1 is a public address.

The controller guest interface is directly connected to a firewall without DNS.

The company restriction is, all company DNS must seperated to the guest-lan.

So the question is, can I generate a certificate with CN=1.1.1.1

Or, what can I do without a DNS Server?

Sven

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to sniff

‎03-18-2011 12:25 PM

The purpose of the certifciate / DNS is so that clients dont get the "accept cert" ... You can enable HTTP and you dont need to worry about the cert ....

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
sniff
Level 1
Level 1
In response to George Stefanick

‎03-19-2011 02:04 AM

HTTP enable is a possible workaround, but I think it`s enabled global.

So the WLC management access is unsure, now.

Sven

0 Helpful

Go to solution
Andrew Betz
Cisco Employee
Cisco Employee
In response to sniff

‎03-19-2011 02:18 PM

Hi Sven,

I agree with George.  We do have many Customers that configure their Guest DHCP scope with a public DNS server, and then simply create a new DNS A Record on their externally-facing DNS server for the company's domain (ex. wifi.cisco.com).  Some public DNS servers will allow resolution to 1.1.1.1, and others will not.

You can always feel free to change your Virtual IP address to an acceptable IP (whether a private address, or owned by your organization).  Just be sure that this address is not routeable on your network (one of the requirements for the Virtual Interface).

You're exactly right.  Although disabling HTTPS on the WLC is a workaround, it will disable the Secure server globally, including Web Admin access.

Best,

Drew

0 Helpful

Go to solution
teleprecense&wifi_admin
Level 1
Level 1
In response to Andrew Betz

‎12-27-2016 05:04 AM

Dear all,

we don´t have a company DNS for our guest interface. We just forward the Guest traffic to 8.8.8.8.

We want to upload a valid certificate to our WLC to prefer the security warning on the browser.

Actually the VirtIP has 1.1.1.1. We use a valid FQDN and change this Adress to private one, not routable.

Where can we set the Host A entry for our virtual IP?

Thanks,

Marco

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card