I have Web Authentication setup on my WLC and it is working fine. However the address bar shows the redirect to 188.8.131.52, now if I add the DNS name on the second line like "mywireless.mydomain.com" I see that redirect is trying to get to that name but times out because it can't resolve it.
So my question is if I want that to resolve I will need to change 184.108.40.206 to a public IP and then add a public DNS record correct?
I think the concern is whether or not you can create a DNS entry pointing to an IP address that you do not own. This is actually a very common misconception.
It might be that some DNS servers won't let you do this, but it is more than likely that your DNS host for your domain will let you put whatever IP Address you want in any DNS entry you create.
As long as you point your web-auth users to a DNS server that can ultimately resolve your DNS entry for the Virtual Interface, you should be good to go.....
Thank you for the last reply, it make sense but since the users will have no access to the internal DNS server I can't use the 220.127.116.11 IP. So in that
case what if I create an external DNS entry and give that virtual interface a valid IP address that is resolveable by external DNS servers?
Now if I do that I guess my next issue would be to only allow the wireless users to be able to access that page, I don't want any one from any where just be able to access it. So I can probably take care of it from the ACL on the firewall?
Why don't you have an External DNS resolve the name to 18.104.22.168? Thats the point I was trying to get across before, unless your external DNS has some wierd restriction on the IP addresses you can point to, you should be able to make an external DNS say: webauth.domain.com = 22.214.171.124
As for point #2, if you did put an external address, I don't think anything will be able to access it. This is a virtual interface with no point of ingress nor egress on the WLC. It is more or less a "hijack me if this IP is destination for wireless traffic" (for example, when you talk to 126.96.36.199, your packets are actually destined to the gateway since it is layer 3, but the WLC takes these packets and responds instead of forwarding to the DS/gateway)..
Anyhow... I suppose an ACL would be for safe measure just in case....
I don't know of it being Illegal or Legal, so you raise a valid concern.
With that said, a DNS is just like a shortcut type systerm, you aren't saying you OWN that IP address or anything....
Its not much different than setting up a blog or googlemail system where you point your domain name (or some specific record) to the IP of thier server....
I suppose they give you permission to do so, but the same concept applies.
I guess the question here is:
Does anyone know if it is Illegal to make a public DNS entry for an IP address that you do not own?
In otherwords, if I made an entry "dns.companyname.com", and I pointed DNS = 188.8.131.52, is that "illegal"? I don't think so, but I'm not an authority on the matter...
Sure would be nice if anyone else reading this had a valid opinion on what is not legal (like maybe a spec that says so).
Were the APs joining before?
If not, can you still manage the WLC?
I'm not sure what the validity is in assigning a real IP to the virtual interface, but I'm sure if its in anyway related to other IP addresses you have, it will probably mess everything up.
I know there was alot of talk about changing the best practice from 184.108.40.206 to some other IP space reserved for documentation or something, (not multicast, not part of your standard internal use 10,172,192 subnets, but not external-use either?)
What does everyone else use for thier Virtual IP?
I can still access the WLC, here is the problem:
- I am using the WLC as the DHCP server
- So when clients and AP's request an IP it comes on the management interface
- Management interface sends it to the virtual interface which is 220.127.116.11
- Now per Cisco that needs to be a non routable address such as 18.104.22.168
- So if I change the 22.214.171.124 IP to something else none of the clients can get an IP address
- If I leave it everything works other than the web authentication because clients can't resolve the domain name.