Re: Guest portal clera pass wlc

athan1234 · ‎08-22-2023

Dear all:

I'm attempting to solve this issue, but I'm having trouble.

The customer has this error, which is the problem.

Page in blank and the error ssl_IDMISMATCH

Flavio Miranda · ‎08-22-2023

Hi @athan1234

It seems the certificate was generated for the wrong URL.

Flavio Miranda · ‎08-23-2023

@athan1234

To fix this, you/we need to understand better how everyting is setup on this devices. Which WLC are you using, are you using ISE as Radius? Which WLC version, ISE version if that is the case.

There is a process in order to use certificate on guests networks. You need to generate the CSR file, you need to send the CSR file to be signed and you need to install the certificate signed to the WLC. During the process the URL need to be informed and it seems the URL was not informed properly.

I am sharing here two links in order to troubleshooting site name mismatch and you can take a look. Maybe you fall in one of those examples.

https://www.thesslstore.com/knowledgebase/ssl-support/troubleshooting-name-mismatch-web-browser/

https://www.digicert.com/kb/ssl-support/certificate-name-mismatch-error.htm

athan1234 · ‎10-16-2023

Hello @Flavio Miranda

This time, I'm coming, and I'm going to generate a CSR .I am confising if i will have to put on the CN : www.

Rich R · ‎10-16-2023

You might find a site that can generate the CSR for you but they generally won't do that because that means they will have the private key for your certificate which is a MAJOR security issue - only you should ever know the private key - it should be treated as strictly confidential.

You can easily install OpenSSL on a PC to generate the CSR yourself:
https://slproweb.com/products/Win32OpenSSL.html
Use version 1.1.1 because the Cisco WLCs will not be able to handle certificate chains generated by version 3.x

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

athan1234 · ‎10-16-2023

Rich RI can generate a CSR using the gui, according to the WLC controller. My uncertainty is whether to include the www or not in the CN: field.

Rich R · ‎10-16-2023

It must exactly match the FQDN so that looks correct.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

athan1234 · ‎09-07-2023

I'm confused about the flow guest portal and function of the certificates.

In this case I believe is more difficulty, my customer doesn’t want to have wilcard certificate before that the user has a wilcard certificate and everything works well .

Tell me whether my hypothesis of guest portal flow is correct. If I'm wrong, please correct me.

The first step is when a user attempts to join to SSID_guest is for the AP to relay information to the wireless access point (WLC), which is equipped with a public certificate for guest users. What does the certificate's purpose , for the guest it is transparent , isn’t it. it is only for to check it a secure connection between controller and user (this point it is difficult to understand )

This certificate on the side WLC. CN:xxxx.es

I'm not sure if I possess what is required for the right works.

Currently, xxxx.es doesn't resolve anything,

Do you believe that his DNS server should have an entry for xxxxxxx.es in order to be able to resolve the virtual IP of the controller 192.0.2.1?

And the reverse DNS would be to use xxxxx.es to resolve the virtual IP 192.0.2.1.

Some set up side WLC

athan1234 · ‎09-10-2023

Anyone could help me ?

Rich R · ‎10-01-2023

What is in your pre-auth ACL Guest_WIFI ? (clue: all IPs and URLs required to complete login should be allowed)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

athan1234 · ‎10-02-2023

Hi @Rich R thanks for your reply

Rich R · ‎10-02-2023

1. Only that 1 single IP address required for your users to login?

2. Your ACL has a mistake - it's allowing traffic to and from that IP but both with Dest Port HTTPS! Similar to your DNS entries the return traffic will have Source Port HTTPS not Dest Port right?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

athan1234 · ‎10-02-2023

Hello

The traffic is indeed sent to the clear pass by the wlc. the IP address that is being forwarded to the clear pass node

I guess ai modificated the acces list some time , i was reading an artuicule and i leave the same way
hence, the access list is the problem for you.

I am reading this articule , this ACL will be more polite