05-08-2014 06:41 AM - edited 07-05-2021 12:47 AM
I am in the process of using OpenSSL to generate a device certificate for my 5508 WLC.
However, I had a question about DNS. The controller is on a guest network and is used for outside companies. I don't control their laptops/devices, and the controller is handing out a public DNS (8.8.8.8) for them to use. They simply log in and connect to the Internet.
I assume this is going to create a problem with the device certificate. Won't clients get a warning if they cannot resolve the name of the controller against the certificate? Aside from installing my own DNS server into that network, is there any way around this?
05-08-2014 10:39 AM
If you want to 'hide' the virtual IP address used for webauth, the FQDN must be resolvable. See this document for more details:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#cause
A work-around would be to use the virtual interface IP address for your CN when creating your cert.
05-09-2014 09:18 AM
What I have done is create a certificate using your public domain and then adding an alias DNS record on your external DNS or public DNS server. Tie it to one of your public IP address and then use that public IP address for your VIP. That is a work around I have used.
Please rate helpful post and Cisco Support Community will donate to Kiva
Scotty
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide