cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1989
Views
1
Helpful
18
Replies

9800 WLC CLI PIV Works but Web GUI Doesn't

jawesterholm
Level 1
Level 1

I have successfully enabled PIV authentication for CLI via ISE.  However, web does not work, gives me openresty error after entering my PIN.  Background - I am with DOI and obtained a certificate for the WLC from the DOI CA.  Our PIV cards are provided by ENTRUST.  I use the Entrust trust point for CLI. 

This allows me to use CLI PIV -

crypto pki trustpoint ENTRUST_MG_SVC_SSP_CA
enrollment terminal
authorization username alt-subjectname userprinciplename
revocation-check none

cyrpto pki authenticate ENTRUST_MG_SVC_SSP_CA

Insert Certificate HERE

ip ssh server certificate profile
user
trustpoint verify ENTRUST_MG_SVC_SSP_CA

Ip http secure-trustpoint (WLC trustpoint)
Ip http secure-client-auth
ip http secure-peer-verify-trustpoint (WLC Trustpoint) - I've tried using ENTRUST_MG_SVC_SSP_CA as well.
ip http secure-piv-based-auth secure-piv-based-author-only

TAC has been working on this for a few months with no resolution yet.  Any suggestions?  I've tried 17.3, 17.4, 17.12.1, 17.12.2 with no changes.

 

18 Replies 18

Yeah login isn't making it to ISE for me either.  I've debugged ip http, aaa authen, show logging process nginx internal start last 60, etc.  It seems to be some kind of ngnix error.  I also got DOI to give me a soft token to see if that made a difference vs my PIV card.  No change.

jawesterholm
Level 1
Level 1

Currently running 17.12.3

edmonroy
Cisco Employee
Cisco Employee

Try this:

For the trustpoint having the  Root CA of the client cert add the following:
crypto pki trustpoint PIV-Root-CA
    authorization username subjectname commonname

Then make sure that trustpoint is the one for PIV verification:

ip http secure-peer-verify-trustpoint PIV-Root-CA

Sadly same OpenResty error

Review Cisco Networking for a $25 gift card