If you want to 'hide' the

Colin Higgins · ‎05-08-2014

I am in the process of using OpenSSL to generate a device certificate for my 5508 WLC.

However, I had a question about DNS. The controller is on a guest network and is used for outside companies. I don't control their laptops/devices, and the controller is handing out a public DNS (8.8.8.8) for them to use. They simply log in and connect to the Internet.

I assume this is going to create a problem with the device certificate. Won't clients get a warning if they cannot resolve the name of the controller against the certificate? Aside from installing my own DNS server into that network, is there any way around this?

Daniel McDavid · ‎05-08-2014

If you want to 'hide' the virtual IP address used for webauth, the FQDN must be resolvable. See this document for more details:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#cause

A work-around would be to use the virtual interface IP address for your CN when creating your cert.

Scott Fella · ‎05-09-2014

What I have done is create a certificate using your public domain and then adding an alias DNS record on your external DNS or public DNS server. Tie it to one of your public IP address and then use that public IP address for your VIP. That is a work around I have used.

Please rate helpful post and Cisco Support Community will donate to Kiva

Scotty

-Scott
*** Please rate helpful posts ***

SSL certificate on 5508 WLC