Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1243
Views
0
Helpful
10
Replies

3rd party certificate on WiSM controllers

Go to solution
otchristensen
Level 1
Level 1

‎10-07-2012 05:23 AM - edited ‎07-03-2021 10:46 PM

Hi,

On my corporate wireless net, there is an SSID to allow guests to reach the Internet. They receive a voucher with 1-day valid credentials and are asked to open a browser, which is redirected to a login page https://1.1.1.1/login.html.

The controllers in the acnhor group have a 3rd party certificate installed. It is generated for a company URL like: guest.companyname.com

So when the browser hits the login screen, it stops and issues a warning about receiving a valid certificate but for a different URL.

We have an external DNS-record which resolves the company URL to 1.1.1.1.

I see a possible solution, if the URL of the Internal (default) URL can be changed to https://guest.companyname.com/login.html because if this is keyed in manually, I receive the login page right away without warnings. This is obviously what we want the guest to see.

The controllers run 7.0.230.0 software as well as the WLC.

Hope someone has the simple answer to this???

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to otchristensen

‎10-07-2012 06:48 AM

So what type of anchors do you have? The VIP fqdn is defined on the anchor(s) and you can do an nslookup with the correct FQDN and IP?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Scott Fella

‎10-07-2012 08:28 AM

Good morning...

I only wanted to add to Scotts post .. Here ia a step by steap that I did on my blog.

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎10-07-2012 05:56 AM

When you login as a guest, you dhcp points to your external dns that you have the record. So if you do an nslookup to the fqdn of the certificate, is the client able to resolve the fqdn. So what else is required is that you have that fqdn entered in the VIP interface and this requires a reboot.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎10-07-2012 05:57 AM

What is the different URL you mentioned?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
otchristensen
Level 1
Level 1

‎10-07-2012 06:41 AM

Hi Scott,

The different URL would be https://1.1.1.1/login.html which apparently is set up in the Internal default of the controller.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to otchristensen

‎10-07-2012 06:48 AM

So what type of anchors do you have? The VIP fqdn is defined on the anchor(s) and you can do an nslookup with the correct FQDN and IP?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
otchristensen
Level 1
Level 1
In response to Scott Fella

‎10-07-2012 07:14 AM

Hi again,

I hit the wrong button there and gave You the credits for correct answer. You will probably deserve it anyway, if the solution is as simple as You have lined out.

I can restart the controllers in the evening, test and do a follow up message here later.

You will understand, I am not very routined in the wirleless world. This appears easy enough, if the URL in the login page will then be the fqdn. To be tested.

Later...

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to otchristensen

‎10-07-2012 07:24 AM

Putting 1.1.1.1 (VIP address) is a test to bypass the certificate.  It is pretty simple, if you have done it a hundred times.  But to start of from the basic, make sure that the user is being anchored to the guest wlc.  You should see an entry of the client on the guest anchor and the client should be in the WEBAUTH_REQD state until they go through the login proccess in which they will be in the RUN state.  If you don't , then I can see why the 3rd party certificate is not working.  SO you should see the client on the foreign and the anchor wlc.  Make sure of this first.

Did you not restart the anchors when you put in the FQDN in the VIP?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎10-07-2012 08:23 AM

Here is a doc also for reference

https://supportforums.cisco.com/docs/DOC-13954#Troubleshooting_certificate_issues_

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Scott Fella

‎10-07-2012 08:28 AM

Good morning...

I only wanted to add to Scotts post .. Here ia a step by steap that I did on my blog.

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
otchristensen
Level 1
Level 1
In response to George Stefanick

‎10-07-2012 11:54 AM

I actually used George's blog as guide, when the project started and I made it all the way except for the reload of controllers after typing ind the fqdn in the VIP.

So another restart - and it worked perfectly. Hehe....erhmm.

Thank You for all Your help, both.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to otchristensen

‎10-08-2012 08:56 PM

Excellent .. Always nice to hear folks get value out of the blog .. I have say that one post gets the most hits next to the null frame post.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card