Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1045
Views
6
Helpful
12
Replies

Guest portal clera pass wlc

athan1234
Level 3
Level 3

ā€Ž08-22-2023 05:12 AM - edited ā€Ž10-17-2023 12:57 AM

Dear all:

I'm attempting to solve this issue, but I'm having trouble.

The customer has this error, which is the problem.

Page in blank  and the error ssl_IDMISMATCH

Labels:
0 Helpful
12 Replies 12

Flavio Miranda
VIP
VIP

ā€Ž08-22-2023 05:39 AM

Hi @athan1234 

 It seems the certificate was generated for the wrong URL. 

Flavio Miranda
VIP
VIP

ā€Ž08-23-2023 01:27 AM

@athan1234 

  To fix this, you/we need to understand better how everyting is setup on this devices. Which WLC are you using, are you using ISE as Radius? Which WLC version, ISE version if that is the case.

There is a process in order to use certificate on guests networks. You need to generate the CSR file, you need to send the CSR file to be signed and you need to install the certificate signed to the WLC. During the process the URL need to be informed and it seems the URL was not informed properly.

I am sharing here two links in order to troubleshooting site name mismatch and you can take a look. Maybe you fall in one of those examples.

 

https://www.thesslstore.com/knowledgebase/ssl-support/troubleshooting-name-mismatch-web-browser/

https://www.digicert.com/kb/ssl-support/certificate-name-mismatch-error.htm

 

athan1234
Level 3
Level 3
In response to Flavio Miranda

ā€Ž10-16-2023 03:29 AM - edited ā€Ž10-17-2023 12:57 AM

Hello @Flavio Miranda 

 

This time, I'm coming, and I'm going to generate a CSR  .I am confising if i will have to put on the CN : www.

 

0 Helpful

Rich R
VIP
VIP
In response to athan1234

ā€Ž10-16-2023 03:53 AM

You might find a site that can generate the CSR for you but they generally won't do that because that means they will have the private key for your certificate which is a MAJOR security issue - only you should ever know the private key - it should be treated as strictly confidential.

You can easily install OpenSSL on a PC to generate the CSR yourself:
 https://slproweb.com/products/Win32OpenSSL.html
Use version 1.1.1 because the Cisco WLCs will not be able to handle certificate chains generated by version 3.x

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

athan1234
Level 3
Level 3
In response to Rich R

ā€Ž10-16-2023 05:32 AM - edited ā€Ž10-17-2023 12:52 AM

Rich RI can generate a CSR using the gui, according to the WLC controller. My uncertainty is whether to include the www or not in the CN: field.

 

 

 

0 Helpful

Rich R
VIP
VIP
In response to athan1234

ā€Ž10-16-2023 05:48 AM

It must exactly match the FQDN so that looks correct.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

athan1234
Level 3
Level 3

ā€Ž09-07-2023 08:55 AM - edited ā€Ž10-17-2023 12:59 AM

I'm confused about the flow guest portal and function of the certificates.

In this case I believe is more difficulty, my customer doesnā€™t want to have wilcard certificate before that the user has a wilcard certificate and everything works well .

 

Tell me whether my hypothesis of guest portal flow is correct. If I'm wrong, please correct me.

  • The first step is when a user attempts to join to SSID_guest is for the AP to relay information to the wireless access point (WLC), which is equipped with a public certificate for guest users. What does the certificate's purpose , for the guest it is transparent , isnā€™t it.  it is only for to check it a secure connection between controller and user (this point it is difficult to understand ) 

This certificate on the side WLC. CN:xxxx.es

 

I'm not sure if I possess what is required for the right works.

Currently, xxxx.es doesn't resolve anything,

Do you believe that his DNS server should have an entry for xxxxxxx.es  in order to be able to resolve the virtual IP of the controller 192.0.2.1?

And the reverse DNS would be to use xxxxx.es to resolve the virtual IP 192.0.2.1.

 

Some set up side WLC

 

 

 

 

 

 

 

 

 

0 Helpful

athan1234
Level 3
Level 3

ā€Ž09-10-2023 01:28 PM - edited ā€Ž09-10-2023 01:31 PM

Anyone could help me ? 

0 Helpful

Rich R
VIP
VIP

ā€Ž10-01-2023 08:45 AM

What is in your pre-auth ACL Guest_WIFI ? (clue: all IPs and URLs required to complete login should be allowed)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

athan1234
Level 3
Level 3
In response to Rich R

ā€Ž10-02-2023 05:48 AM - edited ā€Ž10-02-2023 05:50 AM

Hi @Rich R  thanks for your reply

 

athan1234_0-1696250889482.png

 

0 Helpful

Rich R
VIP
VIP
In response to athan1234

ā€Ž10-02-2023 09:37 AM

1. Only that 1 single IP address required for your users to login?

2. Your ACL has a mistake - it's allowing traffic to and from that IP but both with Dest Port HTTPS!  Similar to your DNS entries the return traffic will have Source Port HTTPS not Dest Port right?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

athan1234
Level 3
Level 3
In response to Rich R

ā€Ž10-02-2023 11:26 PM - edited ā€Ž10-03-2023 12:04 AM

Hello

The traffic is indeed sent to the clear pass by the wlc. the IP address that is being forwarded to the clear pass node

I guess ai modificated the acces list some time , i was reading an artuicule and i leave the same way
hence, the access list is the problem for you.

 

 

I am reading this articule , this ACL will be more polite

athan1234_0-1696314313272.png

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card