Solved: Re: Simple wireless network w/SSL on WLC 3504

netadmin@medcompnet.com · ‎11-27-2019

I am trying to set up a very basic network on a WLC 3504. I want it to use web auth with a SSL

certificate signed by a 3rd party CA. The cable plugs in to port 2 on the WLC and goes out to the Internet using a dedicated port on the CPE on VLAN 11. This port is 192.168.111.1 and interface uses 192.168.111.2. DHCP should Hand out 192.168.111.20-200. Clients should be isolated from each other and should not be able to access lan subnets outside of the 192.168.111.0/24 range. The problem I have been running into is that the SSL name (I’ll say contosowireless.contoso.com) fails DNS queries. We did a packet capture and found that the dns server was not responding to queries. My theory is that the dns Server is on the LAN and packets are not passing through prior to the webauth completing. I’ve been working with support and they have me defining VLANS and routes and in 6 different pieces of equipment. There has to be a simpler way to configure this- any suggestions?

netadmin@medcompnet.com · ‎12-07-2019

Thanks everyone for the help. I ended up solving this on my own, and here is how:
Since the connection is isolated directly out to the Internet, the client needed to ask a public DNS server where to get the webauth page. So I added a record to my public DNS to associate the CN on the certificate to the IP of the WLC’s virtual controller. The client looks for webauth on the virtual IP by name, dns supplies the IP and because the AP is internal to the firewall, the client receives the webauth page from the WLC and login proceeds correctly.

View solution in original post

Haydn Andrews · ‎11-27-2019

Allow DNS in your pre-auth ACL

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

netadmin@medcompnet.com · ‎11-30-2019

Thanks for the advice! Tried this and now I can connect... but it skips the web auth login page... my WLC is properly handing out the 192.168.111.0/24 addresses to the clients that connect to the SSID, and I have Internet access from the SSID. I’ve uploaded my preauth acl which should only allow DNS to and from the server at 192.168.3.2. Any idea what I need to change?

netadmin@medcompnet.com · ‎12-07-2019

Thanks everyone for the help. I ended up solving this on my own, and here is how:
Since the connection is isolated directly out to the Internet, the client needed to ask a public DNS server where to get the webauth page. So I added a record to my public DNS to associate the CN on the certificate to the IP of the WLC’s virtual controller. The client looks for webauth on the virtual IP by name, dns supplies the IP and because the AP is internal to the firewall, the client receives the webauth page from the WLC and login proceeds correctly.