08-19-2014 03:51 PM - edited 07-05-2021 01:23 AM
So, we deployed the 5760 for guest ssid along with other main ssid. The problem we are hitting is the user gets a certificate error after guest authentication when the wlc sends a virtual IP as the redirect URL.
In the WLC config we have mentioned virtual-hostname along with the virtual-ip under the parameter-map for guest web-portal, but for some reason the wlc seems like doesn't want to consider the virtual hostname for re-direct and will only use virtual-ip.
We are using a certificate which is issues to the virtual URL from the CA, but because the redirect URL has IP address in it, the cert invalid error shows up.
We also got the CA to send us another cert with IP address in the Subject alternative name field of the certificate, but that also doesn't not fix the issue.
Has anyone else come across the same or similar problem. I reckon the 5760's are fairly new to the market, so cisco has not been very full-proof in mitigating these small things.
Thanks
Solved! Go to Solution.
08-19-2014 07:58 PM
Hi
Check whether you have configured default parameter map (which specify the virtual ip) & custom parameter map (which specify the redirect login URL, redirect portal IP address,etc). Redirect portal IP address is important to have.
parameter-map type webauth global
type webauth
virtual-ip ipv4 <5760-virtual-ip>
!
parameter-map type webauth <Custom_Parameter_map>
type webauth
redirect for-login https://<redirect-login-url>
redirect portal ipv4 x.x.x.x
I have done external web redirect with 5760 & it worked. WebAuth cert issued to the URL that we are using & here is the cert installation procedure I followed.
http://mrncciew.com/2014/07/30/5760-webauth-certificates/
HTH
Rasika
*** Pls rate all useful responses ****
08-19-2014 07:58 PM
Hi
Check whether you have configured default parameter map (which specify the virtual ip) & custom parameter map (which specify the redirect login URL, redirect portal IP address,etc). Redirect portal IP address is important to have.
parameter-map type webauth global
type webauth
virtual-ip ipv4 <5760-virtual-ip>
!
parameter-map type webauth <Custom_Parameter_map>
type webauth
redirect for-login https://<redirect-login-url>
redirect portal ipv4 x.x.x.x
I have done external web redirect with 5760 & it worked. WebAuth cert issued to the URL that we are using & here is the cert installation procedure I followed.
http://mrncciew.com/2014/07/30/5760-webauth-certificates/
HTH
Rasika
*** Pls rate all useful responses ****
09-01-2014 04:16 PM
thanks for your reply
so what we did was get out CA to give us a cert with CN name as the virtual hostname, but also put in IP address field with the virtual-ip in the Subject alternative name section of the certificate.
Now we have installed this cert, and this one does work (i.e no cert error for the guest portal on chrome or firefox browser, but IE for some weird reason still gives us the error saying the cert is not from a valid authority etc.
The CA we are using QuoVAdis.
09-01-2014 09:09 PM
Glad to see you get it working.
Regards
Rasika
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide