Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
1
Helpful
9
Replies

C9800 WLC Web Auth broken after certificate renewal

levi-from-downtown
Level 1
Level 1

‎07-16-2025 09:04 AM

Hey all — hoping someone here has dealt with this before.

This week, our wildcard certificate expired, so we renewed it and uploaded the new PKCS#12 bundle (.pfx) to all the systems that use it — including our Cisco 9800 WLC (running IOS-XE 17.x).

The cert was uploaded via CLI (crypto pki import), and this restored HTTPS access to the WLC’s web GUI, which had been unavailable due to the expired cert. The cert is showing as valid, and everything seems correct on that front.

However, our Guest Wi-Fi broke right after this.

  • The captive portal still appears when clients join the Guest SSID
  • The cert looks valid there too (HTTPS works)
  • But once you hit “Accept” on the portal, the redirect goes hxxps://wlc.ourdomain/undefined

Which, of course, doesn’t go anywhere.

To clarify:

  • No config changes were made to the global WebAuth parameter-map
  • We’re still using the same virtual-host (wlc.ourdomain) and same portal HTML
  • The new trustpoint is bound to WebAuth, and everything looks normal on the surface
  • redirect on-success is not configured — but it wasn't before either, and things worked fine
  • I do see key pairs associated with the trustpoint (private key is present)
  • Chain seems complete, though I can’t confirm if the intermediate CA was properly included in the trustpoint or not

Would appreciate any advice. This is my first time dealing with certs on a WLC.

Labels:
0 Helpful
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎07-16-2025 09:23 AM 

But once you hit “Accept” on the portal, the redirect goes hxxps://wlc.ourdomain/undefined

what kind of cert for this, just page, what does this page does? or just redirect page.

try  browsing from client device see if that works ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

marce1000
Hall of Fame
Hall of Fame

‎07-16-2025 09:25 AM

 

  - @levi-from-downtown    I would advice to use redirect-on success anyway become 'some vacuum' has occurred as in :
                                                 parameter-map type webauth <your-map-name>
                                                        redirect on-success https://wlc.ourdomain/success.html

 M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MHM Cisco World
VIP
VIP

‎07-16-2025 09:49 AM

I dont get 
you use LWA ?
you renew cert of WLC to access GUI ?

MHM

0 Helpful

levi-from-downtown
Level 1
Level 1
In response to MHM Cisco World

‎07-16-2025 11:26 AM

Yes, we are using Local Web Authentication (LWA). The WLC is hosting the captive portal directly.

We uploaded a renewed wildcard certificate to the WLC via `crypto pki import`, and it successfully restored HTTPS access to the GUI. The wildcard certificate we had expired. 

Once the cert was applied, the Guest SSID's captive portal began redirecting to `/undefined` after clicking "Accept". We have not made any changes to the WebAuth configuration or parameter-map, and the certificate is showing valid in browsers and on the portal itself.

The cert is bound to the WebAuth parameter-map as the trustpoint.

MHM Cisco World
VIP
VIP
In response to levi-from-downtown

‎07-16-2025 12:17 PM

show run | section parameter-map type webauth global <<- share this 

MHM

0 Helpful

levi-from-downtown
Level 1
Level 1
In response to MHM Cisco World

‎07-16-2025 12:23 PM

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1 virtual-host wlc.ourdomain
redirect on-success home.ourdomain
custom-page login device bootflash:/login/login.html
custom-page success device bootflash:/login/login.html
custom-page failure device bootflash:/login/login.html
custom-page login expired device bootflash:/login/login.html
logout-window-disabled
success-window-disable
intercept-https-enable
trustpoint 20250716-star.ourdomain.pfx
webauth-http-enable

I redacted the domain name. I found an old email from someone who previously worked on this in 2022, and they fixed this issue with a reload of the WLC. I didn't think that will do it, but I suppose it wouldn't hurt to try. The technician responsible for uploading the bundle has repeated his steps to verify there were no mistakes in the bundling, uploaded the .pfx and rebound it to webauth. 

0 Helpful

wajidhassan
Level 4
Level 4

‎07-16-2025 09:51 AM

Hi @levi-from-downtown ,

This issue often happens if the certificate chain is incomplete or the trustpoint isn’t properly re-bound to WebAuth after renewal.

Check the following:

1. Make sure your .pfx includes the full chain (server + intermediate + root).

2. Reapply the trustpoint under WebAuth:

parameter-map type webauth global
 trustpoint <your-trustpoint>
 
3. Save config and reload the WLC — some changes don’t apply until reboot.
4. Optionally, set a redirect on-success to avoid the /undefined behavior.

That should resolve the issue.

0 Helpful

levi-from-downtown
Level 1
Level 1
In response to wajidhassan

‎07-16-2025 11:18 AM

We have verified the .pfx contains the full chain, and that the trustpoint is bound to the web auth. The only thing we haven't tried is rebooting the WLC, we only reset with "no ip http server-secure" and "ip http server-secure" 

We are scheduling a reboot for later today, hopefully it is that simple. Everything else matches what we are finding online / documentation. 

0 Helpful

Rich R
VIP
VIP
In response to levi-from-downtown

‎07-27-2025 03:11 PM

Did a reboot help @levi-from-downtown 
Reload should not be necessary on 9800 (we've never needed it), but you should always do the "no ip http server-secure" and "ip http server-secure" which you say you have done.

> (running IOS-XE 17.x). - sorry but 17.x is meaningless - what is the actual software version?

Have you checked your WLC config using the Config Analyzer (link and instructions below)?

You should be using a TAC recommended version of software - see the link below.

Also refer to the Best Practices guide link below.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card