04-24-2009 11:34 AM - edited 07-03-2021 05:29 PM
How is this done? We bought a certificate file and have 2 4404 controllers.
Where do I go to apply this and how do I apply this?
Also will my single cert work for 2 controllers?
04-25-2009 05:51 AM
Is this cert for guest or for management. If it is for guest, then you can use it on multiple wlc, if it is for management, then no. The reason is that when you generated the CSR, you specified a CN which you will resolve via DNS. For management, you have different ip address for management, so you will need one per wlc. For guest webauth, you use the VIP to resovle the CN so you can use that on multiple wlc's.
To install the cert for management, you would click on the management tab on the wlc and then on HTTP and check Download SSL Certificate, enter the info and hit apply.
To install the cert for webauth, you would click on Security tab, then Web Auth then certificate.Fill in the info and hit enter.
Hope this helps.
04-28-2009 03:13 AM
When you say Guest and Management do you mean an interface or do you mean a type of cert?
Same for Guest..I know you can make local accounts on the controllers that are called guest accounts.
Here is what we are trying to do. When students connect to the student SSID and open up a web page they are directed to web page to login (webauth) with LDAP User name and pass. Before they get to the webaut page their computer tells them that we don't have a cert and asks if they should trust the web page etc. We don't want this
04-28-2009 04:04 AM
Then you need to generate and load an ssl cert for webauth. I use RapidSSL since they give you a root ca certificate and not a chained cert.... soo much eaiser. Also chained is only supported on the 5.1.151.0 and later code. You need to generate a CSR by following this link. Again, get a RappidSSL cert and also you will need to download Open SSL to generate the CSR. Then upload that to your WLC. The CN name you will have to resolve in DNS to get rid of that error.
On the WLC, you need to enter that DNS CN in the VIP interface. There is a spot for you to put that in. You will need to reboot your wlc after you add the CN to the VIP interface in order for it to take place.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Win32 OpenSSL:
http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8k.exe
04-28-2009 04:18 AM
We already have one from VeriSign. We already downloaded the cert file.
So would this go under the security heading or the managment heading?
04-28-2009 04:42 AM
VeriSign is a chained cert, so you need 5.1.151 code on the WLC. You would go under the Security tab and then there is a WebAuth tab on the left side. Check the box and fill out the info and hit apply. You will need to reboot the wlc and don't forget to add the CN to the VIP interface.
04-28-2009 04:48 AM
Thanks for all the help. I have another question though.
Can we use a private IP like 172.16.1.2 for the Cert or does it have to be external ip ?
04-28-2009 05:07 AM
You can use a private ip, but the VIP should not be on any subnet you are using on your network. What ever the clients are using as a dns obtained from dhcp, you will need that dns server to resolve that ip address.
04-29-2009 04:51 AM
Thanks Fella ... i didnt know that about the man. cert !
04-29-2009 04:57 AM
No problem.... so did you get it working?
04-29-2009 06:29 AM
Well, I downloaded open SSL and im ready to send in my CSR. I'm getting ready to do that. I want to make sure I have the right answers in front of me so I don't void the cert.
04-29-2009 06:35 AM
The CN is the most important part of that... don't fat finger it!
06-25-2009 09:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide