03-18-2011 04:18 AM - edited 07-03-2021 07:58 PM
Hello,
someone wrote "CN= could not be an IP address".
Is it realy so?
Is the DNS entry (virtual interface) a "must" field to use with cerificates?
Is it possible to use the 1.1.1.1 ip address without DNS entry and use a certificate with CN=1.1.1.1?
Sven
Solved! Go to Solution.
03-19-2011 02:18 PM
Hi Sven,
I agree with George. We do have many Customers that configure their Guest DHCP scope with a public DNS server, and then simply create a new DNS A Record on their externally-facing DNS server for the company's domain (ex. wifi.cisco.com). Some public DNS servers will allow resolution to 1.1.1.1, and others will not.
You can always feel free to change your Virtual IP address to an acceptable IP (whether a private address, or owned by your organization). Just be sure that this address is not routeable on your network (one of the requirements for the Virtual Interface).
You're exactly right. Although disabling HTTPS on the WLC is a workaround, it will disable the Secure server globally, including Web Admin access.
Best,
Drew
03-18-2011 09:29 AM
Hello,
Yes, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
1. Guest Client go to google.com
2. Client goes to DNS (the one its is assign in DHCP)
3. DNS resolves the DNS for google.com
4. Client then attempts to go to google.com
5. Controller intercepts GET and replaces it with a 1.1.1.1
6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
7. DNS then gets resolve to the name (example guest.xxx.com)
8. Controller presents the guest screen ...
YADA YADA YADA ...
I hope this helps ...
03-18-2011 11:29 AM
Hello George,
the problem is, I have no DNS (worse: I must use a public DNS) and 1.1.1.1 is a public address.
The controller guest interface is directly connected to a firewall without DNS.
The company restriction is, all company DNS must seperated to the guest-lan.
So the question is, can I generate a certificate with CN=1.1.1.1
Or, what can I do without a DNS Server?
Sven
03-18-2011 12:25 PM
The purpose of the certifciate / DNS is so that clients dont get the "accept cert" ... You can enable HTTP and you dont need to worry about the cert ....
03-19-2011 02:04 AM
HTTP enable is a possible workaround, but I think it`s enabled global.
So the WLC management access is unsure, now.
Sven
03-19-2011 02:18 PM
Hi Sven,
I agree with George. We do have many Customers that configure their Guest DHCP scope with a public DNS server, and then simply create a new DNS A Record on their externally-facing DNS server for the company's domain (ex. wifi.cisco.com). Some public DNS servers will allow resolution to 1.1.1.1, and others will not.
You can always feel free to change your Virtual IP address to an acceptable IP (whether a private address, or owned by your organization). Just be sure that this address is not routeable on your network (one of the requirements for the Virtual Interface).
You're exactly right. Although disabling HTTPS on the WLC is a workaround, it will disable the Secure server globally, including Web Admin access.
Best,
Drew
12-27-2016 05:04 AM
Dear all,
we don´t have a company DNS for our guest interface. We just forward the Guest traffic to 8.8.8.8.
We want to upload a valid certificate to our WLC to prefer the security warning on the browser.
Actually the VirtIP has 1.1.1.1. We use a valid FQDN and change this Adress to private one, not routable.
Where can we set the Host A entry for our virtual IP?
Thanks,
Marco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide