10-07-2012 05:23 AM - edited 07-03-2021 10:46 PM
Hi,
On my corporate wireless net, there is an SSID to allow guests to reach the Internet. They receive a voucher with 1-day valid credentials and are asked to open a browser, which is redirected to a login page https://1.1.1.1/login.html.
The controllers in the acnhor group have a 3rd party certificate installed. It is generated for a company URL like: guest.companyname.com
So when the browser hits the login screen, it stops and issues a warning about receiving a valid certificate but for a different URL.
We have an external DNS-record which resolves the company URL to 1.1.1.1.
I see a possible solution, if the URL of the Internal (default) URL can be changed to https://guest.companyname.com/login.html because if this is keyed in manually, I receive the login page right away without warnings. This is obviously what we want the guest to see.
The controllers run 7.0.230.0 software as well as the WLC.
Hope someone has the simple answer to this???
Solved! Go to Solution.
10-07-2012 06:48 AM
So what type of anchors do you have? The VIP fqdn is defined on the anchor(s) and you can do an nslookup with the correct FQDN and IP?
Sent from Cisco Technical Support iPhone App
10-07-2012 08:28 AM
Good morning...
I only wanted to add to Scotts post .. Here ia a step by steap that I did on my blog.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
10-07-2012 05:56 AM
When you login as a guest, you dhcp points to your external dns that you have the record. So if you do an nslookup to the fqdn of the certificate, is the client able to resolve the fqdn. So what else is required is that you have that fqdn entered in the VIP interface and this requires a reboot.
Sent from Cisco Technical Support iPhone App
10-07-2012 05:57 AM
What is the different URL you mentioned?
Sent from Cisco Technical Support iPhone App
10-07-2012 06:41 AM
Hi Scott,
The different URL would be https://1.1.1.1/login.html which apparently is set up in the Internal default of the controller.
10-07-2012 06:48 AM
So what type of anchors do you have? The VIP fqdn is defined on the anchor(s) and you can do an nslookup with the correct FQDN and IP?
Sent from Cisco Technical Support iPhone App
10-07-2012 07:14 AM
Hi again,
I hit the wrong button there and gave You the credits for correct answer. You will probably deserve it anyway, if the solution is as simple as You have lined out.
I can restart the controllers in the evening, test and do a follow up message here later.
You will understand, I am not very routined in the wirleless world. This appears easy enough, if the URL in the login page will then be the fqdn. To be tested.
Later...
10-07-2012 07:24 AM
Putting 1.1.1.1 (VIP address) is a test to bypass the certificate. It is pretty simple, if you have done it a hundred times. But to start of from the basic, make sure that the user is being anchored to the guest wlc. You should see an entry of the client on the guest anchor and the client should be in the WEBAUTH_REQD state until they go through the login proccess in which they will be in the RUN state. If you don't , then I can see why the 3rd party certificate is not working. SO you should see the client on the foreign and the anchor wlc. Make sure of this first.
Did you not restart the anchors when you put in the FQDN in the VIP?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
10-07-2012 08:23 AM
Here is a doc also for reference
https://supportforums.cisco.com/docs/DOC-13954#Troubleshooting_certificate_issues_
Sent from Cisco Technical Support iPhone App
10-07-2012 08:28 AM
Good morning...
I only wanted to add to Scotts post .. Here ia a step by steap that I did on my blog.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
10-07-2012 11:54 AM
I actually used George's blog as guide, when the project started and I made it all the way except for the reload of controllers after typing ind the fqdn in the VIP.
So another restart - and it worked perfectly. Hehe....erhmm.
Thank You for all Your help, both.
10-08-2012 08:56 PM
Excellent .. Always nice to hear folks get value out of the blog .. I have say that one post gets the most hits next to the null frame post.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide