cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4190
Views
0
Helpful
8
Replies

Certificate Error - URL Redirection on Cisco WLC and 1.1.1.1 Page !!

mohammed hashim
Level 1
Level 1

Hi,

 

This is my 1st time I use Cisco WLC, I need it to integrate it with Radius Server.

 

So I created a L3 Guest SSID with External URL Redirection. 

 

The issue is, some smart phones are getting redirected and and access the Internet. While some other phones are not able to do so, when they insert their credential they get stuck in 1.1.1.1 page and not able to proceed. 

 

IMG-20190430-WA0002.jpg

 

 

 

IMG-20190430-WA0001.jpg

 

 

I also tried to use the same phone brand (different model) and same credential, Samsung and Andriod, but I got two different results.

 

 

Can you please help me to solve this issue, I anticipate this is because Cisco WLC and not Radius Server. Because the authentication is successful on Radius. 

 

 

 

thanks,

8 Replies 8

Sandeep Choudhary
VIP Alumni
VIP Alumni

Its an SSL error. You need to upload  public CA signed  ssl cert to wlc to overcome this issue.

 

Regards

Dont forget to rate helpful posts

thank you for your response Sandeep,

 

to which domain this SSL should be issued ?

I need then to issue CSR. 

 

assume we are using domain.local as our internal domain. and the WLC page is https://1.1.1.1

the CA will not issue a certificate to you unless your domain is publicly available and verified.

 

Also this page appears only the time redirection happens, because in normal cases when I insert https://1.1.1.1 into my browser, I get access to the public DNS server.

 

 

Firstly - Use an address in the RFC5737 Range (192.0.2.0/24 ) for your Virtual Interface.

WLC Virtual Interface.PNG

 

 

 

 

 

 

You will need a public CA signed certificate for the host name and domain you choose under the Virtual Interface settings on the WLC. The domain name can be any registered domain name that you own. The DNS host name can be anything, as long as your clients can resolve that address via DNS.

I quite often create a DNS server on a dedicated Guest Router, where it forwards all DNS requests to the upstream public DNS servers, except it has a local entry for the virtual interface (resolves wlc.domain.name to 192.0.2.1 in this example).

Haydn Andrews
VIP Alumni
VIP Alumni

Firstly you should consider changing the virtual interface IP address on the WLC from 1.1.1.1 to something else:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213535-wlc-virtual-ip-address-1-1-1-1.html

 

You will need a public certificate so your clients do not get that insecure page:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

 

this blog post makes it a bit easier to follow:

https://www.rogerperkin.co.uk/wireless/how-to-install-ssl-certificate-on-cisco-wlc-for-guest-access/

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

mohammed hashim
Level 1
Level 1

 

Hi dears,

 

Back after a month, I have implemented Wildcard SSL CA Certificate, and installed it in both Radius server and Cisco WLC.

 

*.domain.com

 

Now all the laptops I tried (Windows 10), are connecting without issues. I even used 4 browsers (Edge, IE, Chrome, and Firefox), the certificate is trusted, and redirection is working fine.

 

But for Smartphones, the situation a bit different. Some phones are connecting fine, some are getting certificate issue but are able to trust the cert manually and proceed, and some phones are getting certificate error and not able to proceed at all.

 

 

when I let these smartphones access the network through 802.1x SSID and surf to Radius Server Web Page, non of them face the issue of certificate, they trust the certificate.

 

The CA certificate I am using is Godaddy

 

when a device connect to the L3 SSID which is WebAuth and redirection to Radius occurs, it get such URL:

 

https://nac.domain.com/guest/?switch_url=https://wlc.domain.com/login.html&ap_mac=18:8b:45:02:bc:c0&client_mac=a8:db:03:26:24:36&wlan=Guest&redirect=connectivitycheck.gstatic.com/generate_204

 

 

So could it be the reason that the URL is consider as malicious by some devices?

what do you suggest me to do?

First of all, did you change the IP to 192.0.2.1 or similar?
That is required.
What error message appears on the clients?

 

 

This is the error I am getting

 

Screenshot_20190529-114011_CaptivePortalLogin.jpg

 

 

Some phones are not trusting this, some are trusting. However, All laptops are trusting this.

 

Again when I open this in a browser, the URL looks like what I mentioned in my previous reply.

 

 

I replaced 1.1.1.1 with 192.0.2.1, but did not solve the issue. 

If you open this in the browser on a PC, what URL and certificate do you get offered?
In some cases it's indeed not possible to circumvent this I think.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: