Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1544
Views
5
Helpful
3
Replies

WLC 2504 WebAuth SSL Cert "Virtual" Interface Config

Go to solution
Sanktis
Level 1
Level 1

‎12-24-2019 01:04 AM - edited ‎07-05-2021 11:27 AM

Hi
Im trying to fix some Issues on our Guest WLAN Web Auth Page.

At the moment the Virtual IF is Configured as the following

IF Name: virutal

IP Adress: 192.0.2.1

DNS Host Name: "empty"
A self singed SSL Cert (Internal)

 

Planend is:

1. Set a DNS Host name
2. Issue a Public Cert to this Hostname

3. Test it with all the known Browsers (Chrome, FF, Edge, IE) and some sort of the Mobile Browsers.

We are using an older 2504 with an older SW Version 8.3.143.0

 

So i got some Q.

DNS Name
In the How To's i.E. in the WLC Controller Conf Guides of Cisco it is note the Following to the DNS Name.

To ensure connectivity and web authentication, the DNS server should always point to the virtual interface. If a DNS hostname is configured for the virtual interface, then the same DNS host name must be configured on the DNS server(s) used by the client.

So i like to use for the WebAuth Page a Public SSL i need to create a Internal Zone with a Public DNS Name or Add the WLC DNS A Record in the External DNS Zone?

SSL Public CA's does not allow internal Domains *.local
If i like to use landingpage.comany.com with the internal Portal Adress 192.0.2.1

 

Further Q. 
When i generate a CSR for the Public CA is the internal IP Adress needed as well (192.0.2.1) or is only the DNS Name needed.
landingpage.comany.com

 

I hoping some ppl. had the same issues and maybe know the solution.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Sanktis

‎12-24-2019 03:36 PM

Since this is for guest, you should obtain a 3rd party cert and make sure your external dns can map the dns name you define in the VIP with the VIrtual IP. Sometimes it’s better to change the VIP to one of your public IP address. If you own your external dns, then of course you can create a dns record to map to your current VIP.
-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-24-2019 04:53 AM

I believe If the user is guest user internal, then you should use internal CA certificate ( do you have internal CA)

make A records in your DNS, and Generate certificate with the domain name , example webauth.domain.local

and test it.

 

you may have below example guide :

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Sanktis
Level 1
Level 1
In response to balaji.bandi

‎12-24-2019 07:22 AM - edited ‎12-24-2019 07:33 AM

Hi BB

 

Thanks for your reply.

The Guest Wifi is for Public. (Our Customer Guests) So deploying a own CA is not the best solution :)

The thing is we notice that google chrome and other browsers have problems with non official CA's.

So the thinking behind was to use an official cert.

 

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Sanktis

‎12-24-2019 03:36 PM

Since this is for guest, you should obtain a 3rd party cert and make sure your external dns can map the dns name you define in the VIP with the VIrtual IP. Sometimes it’s better to change the VIP to one of your public IP address. If you own your external dns, then of course you can create a dns record to map to your current VIP.
-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card