cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7107
Views
15
Helpful
4
Replies

WebAuth SecureWeb

AlexZmann
Level 1
Level 1

I am working on a new 5520 WLC running 8.3.143.0 code.  We have a WLAN using Layer 3 Passthrough for security.  From my understanding, to avoid a certificate error on the browser of an end user, you could generate and upload a 3rd party certificate or you can disable WebAuth SecureWeb.  My question is, will disabling WebAuth SecureWeb go against best practice and why?

 

 

Thanks in advance for your feedback.

4 Replies 4

Sandeep Choudhary
VIP Alumni
VIP Alumni

Hi,

Cisco Says:

By default, WLC allows low security crypto options for HTTPS negotiation to ensure backward compatibility, which are no longer considered strong enough in several scenarios. For security reasons, it is advisable to force the controller to use only strong cyphers with the high encryption command. This may cause some interoperability issues if the client connecting to HTTPS only supports legacy or limited crypto options, so it is advisable to do testing for possible issues. This is not a problem for most modern browsers and operating systems.

 

 

Workaround:

1. To avoid the error: either you have to use SSL certificate

 

or....

 

2. Just change that authentication page from https to http. On the controller go to MANAGEMENT –> HTTP-HTTPS. The third item from the top is “WebAuth SecureWeb”, the options are enable or disable. Default is enable so change it to disable. You then need to go to CONTROLLER –> INTERFACES –> VIRTUAL make sure the “DNS Hostname” field is empty. The IP address does not matter, 1.1.1.1 is very common. If you change the virtual address you will need to reboot the controller.

After changing the WebAuth SecureWeb to disable and rebooting the controller your guests can access and enjoy an authentication screen without the SSL certificate error.

 

Regards

Dont forget to rate helpful posts

Hi Sandeep,

 

Thanks for the explanation. Is WebAuth SecureWeb disable to be done on both Anchor and Foreign controllers?

Hi,

 

I think you need to run this command on Foreign controller as all authentications/authorizations occur between the Foreign controller and the ISE node.

 

Regards

Dont forget to rate helpful posts

Here, in my setup, I don't have a ISE or Radius instead I have created a Lobby Account to get authenticated locally on the controller.
Review Cisco Networking for a $25 gift card