Cisco Catalyst 9800-CL Wireless Controller

Version: 17.3.5a

Free Radius with Open LDAP 

 Did you create a ACL for web redirect on the WLC? For both ports 80 and 443?  It seems to me that you did por port 80 only.

Your ACL must deny Radius IP address.

Take a look on this doc

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html 

Redirect ACL Configuration

Thanks for answering.

I had already checked the documentation you sent.

To test, I created an ACL that completely frees communication with the RADIUS server address. However, the problem persists.

I don't think it's a problem with ACLs, since on some devices, both HTTPs and RADIO authentication work normally.

On a notebook, with Windows 11 installed, web authentication is working correctly. On the other hand, when I try to use a notebook with linux (debian), an android smartphone or an iphone, I get errors (invalid certificate) or a captive portal opens with http (no security).

I noticed that each of the devices uses the default captive portal:

Android:
http://connectivitycheck.gstatic.com
or, when opened via browser, an https error is displayed

Debian Linux via firefox: http://detectportal.firefox.com/succex.txt

Windows 11:
When trying to access, the standard windows portal is opened (http://www.msftconnecttest.com/redirect), and then it is redirected to the correct personalized page, with https, that is, it works correctly.

NOTE: both in windows and in other operating systems, authentication via RADIUS server works correctly. The problem lies in not always guaranteeing a secure connection.

Also, if I manually access the correct captive portal address, on the device I want to authenticate, in some cases it works normally, in others, it doesn't load the complete certificate chain, resulting in non-validation and error due to lack of root certificate.

 Radius communication and web auth happens totally different, so, you can not compare.

For Web auth in previous WLC version based on AIROS, you should have an ACL allowing the Radius IP address for Central Web Authentication.

On the WLC 9800, for some reason, they change the logic and now we need to deny the Radius IP address.  The experience I have is based in ISE for the process with  FreeRadius might be different. 

 But for ISE with CWA, I am sure that you need the ACL for web auth.

Yes, I believe it is a problem with the certificate validation.

The domain was signed with a public certificate.

I noticed that on computers where the capitve portal is working correctly, the complete certificate chain is shown.

On the other hand, on computers that have an error, the root certificate does not appear. As shown:

Incomplete string, with error:
RNP ICPEdu OV SSL CA 2019 --> wlogin.cpd.ufsm.br

Complete string, no error:
GlobalSign Root CA - R3 --> Trusted Root TLS SHA256 G3 --> RNP ICPEdu OV SSL CA 2019 --> wlogin.cpd.ufsm.br

Are you delivering the full cert chain together with your cert (best to make sure you are)?

In some cases the OS may need to be updated to support the latest certs and root CAs.

I performed the procedures as described:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

PKCS12 Format Conversion and Certificate Chain in Multi-Level CA Scenarios.

It is possible to end up in a situation where you have a private key file and certificate in PEM or CRT format and want to combine them in a PKCS12 (.pfx) format to upload to the 9800 WLC. In order to do so, enter this command:

openssl pkcs12 -export -in <PEM certificate filename> -inkey <privatekey.key> -out <output new .pfx filename>
In the case where you have a chain of certificate (one or multiple intermediate CA and root CA) all in PEM format, you then need to combine all in a single .pfx file.

First, manually combine the CA certificates in a single file as such. Copy and paste the contents together (save the file in .pem format):

----- BEGIN Certificate --------
<intermediate CA cert>
------END Certificate --------
-----BEGIN Certificate -----
<root CA cert>
-----END Certificate--------

Later you can then combine all in one PKCS12 certificate file with :

openssl pkcs12 -export -out chaincert.pfx -inkey <deviceprivatekey> -in <device private certificate> -certfile <combined CA file.pem>

And if you do a packet capture can you see the client receiving the complete chain?

If it's receiving the complete chain but not recognising/accepting the root certs then OS update is the only option or some devices will need to be replaced if there is no update available.