Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6362
Views
15
Helpful
4
Replies

WebAuth SecureWeb

AlexZmann
Level 1
Level 1

‎01-23-2019 05:59 AM - edited ‎07-05-2021 09:44 AM

I am working on a new 5520 WLC running 8.3.143.0 code.  We have a WLAN using Layer 3 Passthrough for security.  From my understanding, to avoid a certificate error on the browser of an end user, you could generate and upload a 3rd party certificate or you can disable WebAuth SecureWeb.  My question is, will disabling WebAuth SecureWeb go against best practice and why?

 

 

Thanks in advance for your feedback.

0 Helpful
4 Replies 4

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎01-23-2019 06:14 AM

Hi,

Cisco Says:

By default, WLC allows low security crypto options for HTTPS negotiation to ensure backward compatibility, which are no longer considered strong enough in several scenarios. For security reasons, it is advisable to force the controller to use only strong cyphers with the high encryption command. This may cause some interoperability issues if the client connecting to HTTPS only supports legacy or limited crypto options, so it is advisable to do testing for possible issues. This is not a problem for most modern browsers and operating systems.

 

 

Workaround:

1. To avoid the error: either you have to use SSL certificate

 

or....

 

2. Just change that authentication page from https to http. On the controller go to MANAGEMENT –> HTTP-HTTPS. The third item from the top is “WebAuth SecureWeb”, the options are enable or disable. Default is enable so change it to disable. You then need to go to CONTROLLER –> INTERFACES –> VIRTUAL make sure the “DNS Hostname” field is empty. The IP address does not matter, 1.1.1.1 is very common. If you change the virtual address you will need to reboot the controller.

After changing the WebAuth SecureWeb to disable and rebooting the controller your guests can access and enjoy an authentication screen without the SSL certificate error.

 

Regards

Dont forget to rate helpful posts

prasanth.2.r
Level 1
Level 1
In response to Sandeep Choudhary

‎03-29-2022 07:59 PM

Hi Sandeep,

 

Thanks for the explanation. Is WebAuth SecureWeb disable to be done on both Anchor and Foreign controllers?

0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to prasanth.2.r

‎03-29-2022 11:22 PM

Hi,

 

I think you need to run this command on Foreign controller as all authentications/authorizations occur between the Foreign controller and the ISE node.

 

Regards

Dont forget to rate helpful posts

0 Helpful

prasanth.2.r
Level 1
Level 1
In response to Sandeep Choudhary

‎03-30-2022 02:58 AM

Here, in my setup, I don't have a ISE or Radius instead I have created a Lobby Account to get authenticated locally on the controller.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card