08-31-2012 05:45 AM - edited 07-03-2021 10:36 PM
Hello,
I'm trying to get my WebAuth redirect for guest to resolve a hostname, not an IP address. If I delete the hostname information it redirect's fine to the IP address (but has a cert error). I'd like to have to redirect to a hostname so it will match the CN of the cert i've loaded on the controller. We're using OpenDNS for the public DNS so I cannot put an A Record on there associating 192.168.254.1 to washcoguest.co.washington.mn.us.
Right now when I connect to the SSID, it try's to direct me be cannot resolve the hostname and I get a page cannot be displayed.
Any help would be great.
Pete
Solved! Go to Solution.
08-31-2012 12:43 PM
I have been in that situation. So what I have done is take a public ip address and use that for the VIP and had the ISP enter a DNS record to resolve the FQDN to that public ip address. As long as the domain name used to generate the certificate is a registered domain name and you own it, the ISP should have no issues adding it.
Sent from Cisco Technical Support iPhone App
08-31-2012 06:02 AM
For that to work you need to create the A record. Do you have a DNS server that you have administrative control over that you could point too?
Steve
Sent from Cisco Technical Support iPhone App
08-31-2012 06:47 AM
Pete: without the record it does not work.
The client machine should be able to do the DNS resolution otherwise it does not work.
In one machine you can add a static entry in the hosts file but it is not efficient to do this with large number of clients.
HTH
Amjad
Sent from Cisco Technical Support iPad App
08-31-2012 07:40 AM
We're using OpenDNS Enterprise so I cannot add an A Record to that. I can get an A Record added with our ISP, however it will have to corrilate to one of our external address.
Would it work if I NAT the virtual IP to an external IP and have our ISP put an A Record pointing to the external address?
08-31-2012 08:26 AM
Pete,
You can host that A record inside, but that would mean your guest need to have access to your inside DNS. Not ideal, but some people do that ...
Correct, you can host it with your ISP and it would need to match your domain. Which means you need a new cert.
For this very reason, I own "guestnetwork.org" and I host and provide certificates to get around all the confusion customers have. I can host XXXXXX.guestnetwork.org and its published in a few minutes and ready to go..
As for your NAT question. The Virtual IP should not be routable, which in your question its not, but just want to mention it. The client will need to reslove the name to the virtual IP. Adding all these extra steps only adds confusion.
I might suggest, redo the cert, publish it with yout ISP.
08-31-2012 12:43 PM
I have been in that situation. So what I have done is take a public ip address and use that for the VIP and had the ISP enter a DNS record to resolve the FQDN to that public ip address. As long as the domain name used to generate the certificate is a registered domain name and you own it, the ISP should have no issues adding it.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide