04-30-2019 01:57 AM - edited 07-05-2021 10:18 AM
Hi,
This is my 1st time I use Cisco WLC, I need it to integrate it with Radius Server.
So I created a L3 Guest SSID with External URL Redirection.
The issue is, some smart phones are getting redirected and and access the Internet. While some other phones are not able to do so, when they insert their credential they get stuck in 1.1.1.1 page and not able to proceed.
I also tried to use the same phone brand (different model) and same credential, Samsung and Andriod, but I got two different results.
Can you please help me to solve this issue, I anticipate this is because Cisco WLC and not Radius Server. Because the authentication is successful on Radius.
thanks,
04-30-2019 02:54 AM
Its an SSL error. You need to upload public CA signed ssl cert to wlc to overcome this issue.
Regards
Dont forget to rate helpful posts
04-30-2019 03:20 AM
thank you for your response Sandeep,
to which domain this SSL should be issued ?
I need then to issue CSR.
assume we are using domain.local as our internal domain. and the WLC page is https://1.1.1.1
the CA will not issue a certificate to you unless your domain is publicly available and verified.
Also this page appears only the time redirection happens, because in normal cases when I insert https://1.1.1.1 into my browser, I get access to the public DNS server.
04-30-2019 06:09 PM - edited 04-30-2019 06:14 PM
Firstly - Use an address in the RFC5737 Range (192.0.2.0/24 ) for your Virtual Interface.
You will need a public CA signed certificate for the host name and domain you choose under the Virtual Interface settings on the WLC. The domain name can be any registered domain name that you own. The DNS host name can be anything, as long as your clients can resolve that address via DNS.
I quite often create a DNS server on a dedicated Guest Router, where it forwards all DNS requests to the upstream public DNS servers, except it has a local entry for the virtual interface (resolves wlc.domain.name to 192.0.2.1 in this example).
04-30-2019 03:16 AM
Firstly you should consider changing the virtual interface IP address on the WLC from 1.1.1.1 to something else:
You will need a public certificate so your clients do not get that insecure page:
this blog post makes it a bit easier to follow:
https://www.rogerperkin.co.uk/wireless/how-to-install-ssl-certificate-on-cisco-wlc-for-guest-access/
05-28-2019 10:59 AM
Hi dears,
Back after a month, I have implemented Wildcard SSL CA Certificate, and installed it in both Radius server and Cisco WLC.
*.domain.com
Now all the laptops I tried (Windows 10), are connecting without issues. I even used 4 browsers (Edge, IE, Chrome, and Firefox), the certificate is trusted, and redirection is working fine.
But for Smartphones, the situation a bit different. Some phones are connecting fine, some are getting certificate issue but are able to trust the cert manually and proceed, and some phones are getting certificate error and not able to proceed at all.
when I let these smartphones access the network through 802.1x SSID and surf to Radius Server Web Page, non of them face the issue of certificate, they trust the certificate.
The CA certificate I am using is Godaddy
when a device connect to the L3 SSID which is WebAuth and redirection to Radius occurs, it get such URL:
So could it be the reason that the URL is consider as malicious by some devices?
what do you suggest me to do?
05-28-2019 11:59 PM
05-29-2019 12:48 AM
This is the error I am getting
Some phones are not trusting this, some are trusting. However, All laptops are trusting this.
Again when I open this in a browser, the URL looks like what I mentioned in my previous reply.
I replaced 1.1.1.1 with 192.0.2.1, but did not solve the issue.
06-03-2019 05:03 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide