Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2668
Views
0
Helpful
9
Replies

Can't get rid of certificate security error on Web-Passthrough

wesdouglas
Level 1
Level 1

‎09-07-2012 12:48 AM - edited ‎07-03-2021 10:37 PM

Hi all,

I've got a very frustrating problem with the security cert for my Guest internet Web Auth.

I've obtained a 3rd party certificate from Verisign for my WLC DNS host name by following Cisco's guides for both Chained and Unchained certificates. I have altered the Virtual IP address to a spare public IP address that we own so have created a genuine A-record and it has filtered through DNS and resolves. My DNS is pointed at Google 8.8.8.8.

Yet I still receive the cert error on redirect.

Any ideas?

Thanks

Wes

Labels:
0 Helpful
9 Replies 9

Scott Fella
Hall of Fame
Hall of Fame

‎09-07-2012 05:03 AM

The DNS the guest client obtains from DNS is what? Doesn't the client does an nslookup to that FQDN, does it resolve to your VIP? I guess I'm wondering where did you create the a record at... An external dns that the clients use.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

wesdouglas
Level 1
Level 1
In response to Scott Fella

‎09-07-2012 05:24 AM

The guest client uses Google's 8.8.8.8 for DNS.

The internet connection we have on site is with a major provider and we have DNS servers from them. The a-record was created on these and has filtered through to Google's as I have tested pinging the FQDN from a totally separate machine using 8.8.8.8 for DNS.

An nslookup on the domain name does come back with teh correct VIP yes.

The guest network goes out the same internet connection as mentioned above only all traffic is PAT'd behind one of our public addresses and the Guest traffic is segragated on a different firewall interface.

Thanks

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to wesdouglas

‎09-07-2012 05:51 AM

Whom did you get the cert from? I know that Go Daddy isn't in the default root certs list in all OS.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

wesdouglas
Level 1
Level 1
In response to Stephen Rodriguez

‎09-07-2012 06:18 AM

It's a Verisign cert so should be in the root.

Only one query I have about the cert is that when I created the CSR I put in the State as 'SCOTLAND' yet my company's admin who actually bought the cert on my behalf entered the state as 'ABERDEENSHIRE'. I've spoken to Verisign and they said that this doesn't matter as the cert is only checked against the Domain name. My knowledge of certs is limited so I'm going on what they say.

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to wesdouglas

‎09-07-2012 08:32 AM

that should be correct.  So long as the FQDN resolves to the IP of the VIP it should work.  On a machine that is having the issue, pull up the Certificate MMC, and make sure that the Root cert is still valid.

Other than that, i can't think what would be going wrong.  Unless you hadn't rebooted after putting the FQDN on teh VIP.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Stephen Rodriguez

‎09-07-2012 08:53 AM

You get the splash page but you get the cert error, so the only thing left is the VIP.  You need to put the FQDN in the VIP DNS Host Name and reboot the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

wesdouglas
Level 1
Level 1
In response to Scott Fella

‎09-07-2012 08:57 AM

Scott, the domain name is already correctly defined in the virtual interface.

Cheers

Wes

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to wesdouglas

‎09-07-2012 09:04 AM

Well if you are getting the spash page and you get the cert error with the fqdn configured in the VIP, then its an issue with the cert.  If the clients could not resolve the fqdn and the fqdn is configued on the VIP, they would not get the splash page.  So the client is rejecting the certificate.  You only can do a chained certificate and when generating the csr, make sure you choose 2048bit.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

wesdouglas
Level 1
Level 1
In response to Stephen Rodriguez

‎09-07-2012 08:54 AM

I will check that on Monday when I come back in to work. Failing that I may just start from scratch and create a brand new CSR etc. as I think it must be an issue with the cert.

I definately rebooted it as I've since done a software update on it and have tried to install the cert again which required a reboot to take effect.

Thanks for your comments by the way.

Wes

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card