I think the concern is whether or not you can create a DNS entry pointing to an IP address that you do not own. This is actually a very common misconception.

It might be that some DNS servers won't let you do this, but it is more than likely that your DNS host for your domain will let you put whatever IP Address you want in any DNS entry you create.

As long as you point your web-auth users to a DNS server that can ultimately resolve your DNS entry for the Virtual Interface, you should be good to go.....

-Wesley Terry

Thank you for the last reply, it make sense but since the users will have no access to the internal DNS server I can't use the 1.1.1.1 IP.  So in that

case what if I create an external DNS entry and give that virtual interface a valid IP address that is resolveable by external DNS servers?

Now if I do that I guess my next issue would be to only allow the wireless users to be able to access that page, I don't want any one from any where just be able to access it.  So I can probably take care of it from the ACL on the firewall?

Why don't you have an External DNS resolve the name to 1.1.1.1?  Thats the point I was trying to get across before,  unless your external DNS has some wierd restriction on the IP addresses you can point to, you should be able to make an external DNS say: webauth.domain.com = 1.1.1.1

As for point #2, if you did put an external address, I don't think anything will be able to access it.  This is a virtual interface with no point of ingress nor egress on the WLC.  It is more or less a "hijack me if this IP is destination for wireless traffic" (for example, when you talk to 1.1.1.1, your packets are actually destined to the gateway since it is layer 3, but the WLC takes these packets and responds instead of forwarding to the DS/gateway)..

Anyhow...   I suppose an ACL would be for safe measure just in case....

-Wesley Terry

I can do that but if I point the external DNS to 1.1.1.1 wouldn't that be illegal as we do not own that IP?

I don't know of it being Illegal or Legal, so you raise a valid concern.

With that said, a DNS is just like a shortcut type systerm, you aren't saying you OWN that IP address or anything....

Its not much different than setting up a blog or googlemail system where you point your domain name (or some specific record) to the IP of thier server....

I suppose they give you permission to do so, but the same concept applies.

I guess the question here is:

Does anyone know if it is Illegal to make a public DNS entry for an IP address that you do not own?

In otherwords, if I made an entry "dns.companyname.com", and I pointed DNS = 4.2.2.2,      is that "illegal"?  I don't think so, but I'm not an authority on the matter...

Sure would be nice if anyone else reading this had a valid opinion on what is not legal (like maybe a spec that says so).

-Wesley Terry

Thank you for your reply looks like I'm almost there lol.  So I have the cert loaded, changed the Virtual interfaces IP address from 1.1.1.1 to a valid IP but now none of my AP's are joining the controller

Were the APs joining before?

If not, can you still manage the WLC?

I'm not sure what the validity is in assigning a real IP to the virtual interface, but I'm sure if its in anyway related to other IP addresses you have, it will probably mess everything up.

I know there was alot of talk about changing the best practice from 1.1.1.1 to some other IP space reserved for documentation or something, (not multicast, not part of your standard internal use 10,172,192 subnets, but not external-use either?) 

What does everyone else use for thier Virtual IP?

I can still access the WLC, here is the problem:

- I am using the WLC as the DHCP server

- So when clients and AP's request an IP it comes on the management interface

- Management interface sends it to the virtual interface which is 1.1.1.1

- Now per Cisco that needs to be a non routable address such as 1.1.1.1

- So if I change the 1.1.1.1 IP to something else none of the clients can get an IP address

- If I leave it everything works other than the web authentication because clients can't resolve the domain name.