Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1494
Views
6
Helpful
6
Replies

Cisco 9800-CL Certificate for Web Auth Guest WIFI

CMH812009
Level 1
Level 1

‎12-05-2023 07:48 PM

I need some guidance on how to get rid of the security warning for the Cisco 9800-CL guest wifi SSID I have created.  This guest SSID used Central Authentication (Web-Auth) with the Cisco 9800-CL controller guest login page. From the way I understand it from the documentation, I need to generate a CSR from the controller (which I have done and saved to a text file).

The part that I need guidance on is where to go to get this signed by a CA.  Can I use our organization's internal (Windows CA Server) or does it have to be signed by a public CA so guests coming in from any organization will see this guest wifi sign-on page a secure (assuming this is the case).

If I need to get it signed by a public CA, does anyone have any suggestions on a good public CA to use that is not too expensive?

 

Thanks!

Labels:
0 Helpful
6 Replies 6

ammahend
VIP
VIP

‎12-05-2023 09:19 PM - edited ‎12-05-2023 09:20 PM

you are probably using local webauth (where guest page is hosted on 9800 itself) central webauth is when the guest page is hosted in central radius server. 

anyways, if using local webauth, you will need to get the CSR, get it signed by a public CA because guest endpoints dont trust your internal CA, use digicert, dogaddy etc. 

follow this documentation to install cert on 9800. 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

-hope this helps-

CMH812009
Level 1
Level 1
In response to ammahend

‎12-08-2023 01:59 PM

Yes, local webauth is what I meant.  One challenge I have is that the way I understand it, I can't have a public CA sign a cert that includes a private IP address (the virtual IP address of the 9800-CL controller - 192.0.2.1).  Am I going to have to create a public A record for our domain (i.e. guest.domainname.com) and somehow link that to the 9800-cl?  Looking for guidance here so I can get this setup and tested.

0 Helpful

MHM Cisco World
VIP
VIP
In response to CMH812009

‎12-08-2023 02:14 PM

Web Authentication
Similar to web administration, layer 3 authentication can also be used on the 9800. This trustpoint links a certificate to a web portal that is shown to a user as it attempts to authenticate to a WLAN through a guest portal that is automatically presented to the user. Using a trustpoint for web authentication helps protect the user credentials between the WLC and the client that is connecting to.
By default, the WLC uses the self-signed certificate. Again, this causes a warning message to pop up for the client stating that the web page is not trusted.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221047-understand-certificate-and-trustpoint-ty.html

So I think you can use web auth with self singed signature, the warning message appear to wifi client and he must accept it. 

I think it work but it not secure 

MHM

0 Helpful

Rich R
VIP
VIP
In response to MHM Cisco World

‎12-09-2023 05:14 AM - edited ‎12-09-2023 05:16 AM

@MHM Cisco World some browsers and OS will not even display the warning - they will simply not display the page at all.

The only way to get a 100% reliable working client experience, without warnings or page getting blocked, is with a public cert which matches the FQDN of the page resolved by DNS.

So @CMH812009 yes you will need to do that if you do not control the client devices.
If all your client devices are managed (eg corporate environment with mobile device management) then you could use internal CA and make sure all the devices trust your internal CA.  The virtual IP you use should not be reachable from the internet and Cisco recommend that it isn't a routable address at all (but it can be).  But for the cert the CA will often ask you to update your DNS records (to prove your ownership of the domain) so they can query the DNS but they will never be using the IP it resolves to, just checking the DNS records.

And yes the cert must be for a fully qualified domain name - not an IP address.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

MHM Cisco World
VIP
VIP
In response to Rich R

‎12-09-2023 05:32 AM

Internal CA vs public CA

If he use internal CA (which I prefer) he need to add cert. Of CA to all client before they start accepting WLC signed by internal CA.

Meanwhile public CA the cert. Of CA is add auto with OS

So it depends' are client in one site and he can manage to add CA cert. Or not.

MHM

ammahend
VIP
VIP
In response to MHM Cisco World

‎12-11-2023 07:57 PM - edited ‎12-11-2023 07:57 PM

you are right but 90% of the devices connecting to guest wifi are unmanaged devices, I am being generous saying 90%

-hope this helps-
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card