cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1190
Views
5
Helpful
5
Replies

Web auth Certificate - Virtual IP for DNS resolution Question

Prasan Venky
Level 3
Level 3

Dear All,

I am not understanding why we need this thing when we install the certificates on the wlc. We already have WLC name that is resolved on the DNS. Why cant we use that one instead ...? Anyways they might have designed it like that or any reason behind..?

When we say virtual IP should be non-routable, how do we give common name that is resolvable by DNS..?  My DNS VIP is 192.2.X.X series..?

Pls clarify my doubt....

KVS

1 Accepted Solution

Accepted Solutions

I understand your confusion. We've all been there on this one scratching our head. I hope after this post you better understand.

First, the cert you loaded sounds like it's the cert for the WLC management. So you don't get that annoying pop up when you access the WLC. Correct?

If so, this has nothing to do with the virtual address and GUEST certificate. The virtual address on the controller is used for a number of things, mobility and guest redirect are a few. In your case, since you are saying virtual address and certificate you must be referencing a guest cert. Again, different from your wlc management cert. The guest cert stops the annoying pop up, accept this cert for your guest users before they get the guest page. Again different cert ..

if you dont have a guest wireless network or you dont care if the guest gets the pop up no cert is needed. If you are doing a guest network and you DONT want the guest to get he annoying pop up you need to do the cert.

On my blog I outlined how to create the cert

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

The reason why the cert has to match the virual address is because of the redirect. Here is how it works. A client connects to your guest network. He goes to yahoo.com. The wlc allows the request to go out to DNS and get resolved. The DNS responds with the IP address and the WLC hijacks this request and puts the virtual address in its place. The clients browser automatically tries to open the virtual address (bang) pop up. Unless you have the cert installed.

Make sense?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

5 Replies 5

Viten Patel
Cisco Employee
Cisco Employee

Prasan,

Am not sure what your confusion is? The DNS resolution has nothing to do with the ip address being routable or not.

Sent from Cisco Technical Support iPhone App

OK... Please tell me why we need DNS entry for Virtual IP, when we install certificate?

I understand your confusion. We've all been there on this one scratching our head. I hope after this post you better understand.

First, the cert you loaded sounds like it's the cert for the WLC management. So you don't get that annoying pop up when you access the WLC. Correct?

If so, this has nothing to do with the virtual address and GUEST certificate. The virtual address on the controller is used for a number of things, mobility and guest redirect are a few. In your case, since you are saying virtual address and certificate you must be referencing a guest cert. Again, different from your wlc management cert. The guest cert stops the annoying pop up, accept this cert for your guest users before they get the guest page. Again different cert ..

if you dont have a guest wireless network or you dont care if the guest gets the pop up no cert is needed. If you are doing a guest network and you DONT want the guest to get he annoying pop up you need to do the cert.

On my blog I outlined how to create the cert

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

The reason why the cert has to match the virual address is because of the redirect. Here is how it works. A client connects to your guest network. He goes to yahoo.com. The wlc allows the request to go out to DNS and get resolved. The DNS responds with the IP address and the WLC hijacks this request and puts the virtual address in its place. The clients browser automatically tries to open the virtual address (bang) pop up. Unless you have the cert installed.

Make sense?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hello George,

Yes, Its a very wonderful explanation and sad point is i could give only +5, i wish to give more  ... Really many thanks for your time.

We are doing this stuff in our project and your answer gave me more understanding on it....

KVS

George Stefanick
VIP Alumni
VIP Alumni

Thanks for supporting the rating system .. Stop back if you have any more questions ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: