Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
281
Views
3
Helpful
5
Replies

Cisco 9800 Web Auth Guest WIFI Certificate

absuizo14
Level 1
Level 1

‎03-05-2025 07:17 PM

We are looking to install a certificate on the Wireless LAN Controller (WLC) to eliminate the security warning that appears when guests are redirected to the captive portal. Additionally, we would like to customize the URL that appears and incorporate a custom captive portal.

We have already generated a PKCS12 file using a wildcard certificate, and we simply need to load it onto the WLC. However, before proceeding, we need to clarify a few points:

  1. DNS Configuration:
    Does the DNS entry need to resolve to the WLC’s IP address or the virtual IPv4 address configured on the WLC (which is 192.0.2.1)?

  2. Certificate Upload and Web Authentication Configuration:
    After uploading the certificate, we plan to update the web authentication parameters. Specifically, we will change the trustpoint to the installed certificate and set the virtual IPv4 hostname that we want to appear in the browser’s URL.
    Do we need to modify the virtual IPv4 address to match the DNS entry?

0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎03-05-2025 08:56 PM - edited ‎03-05-2025 08:57 PM

The certificate FQDN should resolve the virtual ip of the controller.  This would be the same for AireOS. Here are some steps you can follow.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/web-authentication/b-configuring-web-based-authentication-on-cisco-catalyst-9800-series-controllers/m-local-web-authentication-configuration.html#Cisco_Task_in_List_GUI.dita_...

-Scott
*** Please rate helpful posts ***

absuizo14
Level 1
Level 1
In response to Scott Fella

‎03-05-2025 10:14 PM

Based on the Guide, the virtual ip address should be a nonroutable IP address. how can the guest reach that IP address if that is what we will map the FQDN to that ip address? WLC ip is 192.168.130.2 and virtual ip is 192.0.2.1.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to absuizo14

‎03-06-2025 07:05 AM

It doesn't work like that.  The controller will send its FQDN and DNS just has to resolve to that VIP so that the certificate is valid. If you look at the URL when you try to connect to the webauth, you will see the FQDN of the existing certificate.  The reason you get a cert error is because the FQDN/URL does not resolve to the VIP.

-Scott
*** Please rate helpful posts ***

absuizo14
Level 1
Level 1
In response to Scott Fella

‎03-07-2025 01:04 AM

sorry i think we are looking at the same book but not at the same page. we already generated the PKCS12 cert using the desired URL. what we want to know is when we configure the FQDN what IP should it resolves to? the 192.168.130.2 or 192.0.2.1?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to absuizo14

‎03-07-2025 05:53 AM - edited ‎03-07-2025 05:58 AM

The VIP, which I would assume is your 192.0.2.1, that is what the webauth pages redirects to.  SO like a FQDN of guest-wifi@company.com --> 192.0.2.1.  Your controller management certificate would be your hostname@company.com --> 192.168.130.2 which I assume is your management ip of the controller.

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card