Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2748
Views
10
Helpful
2
Replies

WLC 5520 - Using a public signed certificate for guest Wi-Fi users

Go to solution
CSCO10576352
Level 1
Level 1

‎09-22-2022 08:03 AM

Hi all,

I have setup 2 x new SSID's on our 5520 WLC which are making use of the built in WLC's Layer 3 Web auth security.

One SSID is using passthrough and one is using Authentication.

With the WebAuth/SecureWeb feature disabled on the WLC all works fine as the portal pages are presented to the clients via clear HTTP.

This is not desirable in our scenario however as we wish to protect user credentials being passed from the client via HTTPS but when we enable HTTPS we run into the issue where the client does not accept/trust the WLC's built-in/self signed certificate.

So we are looking at getting a public CA signed certificate uploaded to the WLC for use on the Web portal connections.

I would like clarification on a couple of points.

The web portal pages are presented to the client from a virtual interface on the WLC with an IP address currently set to 192.0.2.1. Under the settings for this virtual interface currently no DNS host name is defined.

For guest clients to accept the certificate passed from the WLC when we create a new publicly signed cert:

  1. Do we need to populate the DNS host name field (for example guest-wifi.mycompamny.com)?
  2. Do we then need to ensure there is an entry in our public DNS for guest-wifi.mycompany.com?
  3. Can we use the above 192.0.2.1 IP address in both the External DNS record for guest-wifi.mycompany.com or does it need to be a valid external IP address within public IP space we own/manage?
  4. Would using the above 192.0.2.1 IP address in the certificate request create an issue also with the CA? Would it need to be a public IP we actually own/manage?
  5. Alternatively to point 4 above would we just need the public DNS hostname in the certificate and not need to include the virtual interface IP address also as a SAN entry in the certificate for example?

Thanks for taking the time to read through and I appreciate any feedback, I just want to try and ensure we get the certificate request correct first time around to minimise cost.

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Prince.O
Spotlight
Spotlight

‎09-22-2022 09:55 AM - edited ‎09-22-2022 09:57 AM

Hello,

Please see answers to your queries inline below:

"Do we need to populate the DNS host name field (for example guest-wifi.mycompamny.com) "

- Yes, you will need to add a DNS hostname field on the controller to use which will resolve to the virtual IP. Without the DNS hostname , the controller will redirect the clients using the virtual ip specified which in this case is "192.0.2.1"

"Do we then need to ensure there is an entry in our public DNS for guest-wifi.mycompany.com?"

"Can we use the above 192.0.2.1 IP address in both the External DNS record for guest-wifi.mycompany.com or does it need to be a valid external IP address within public IP space we own/manage?"

- Yes, you will need to make sure the hostname you use can be properly resolved in DNS to the controller's virtual IP address. It is not recommended to use a routable ip address for this case, you should only use a non-routable IP address. During the web auth redirect flow, the client will reach out to DNS and it will resolve to the controller's VIP and as authentication traffic is flowing through the controller, it will receive the packet and respond when it receives a TCP SYN packet to the virtual IP address.

- One way to test DNS resolution is working as expected is to do an nslookup for the hostname you set and it should resolve to the virtual IP you have set on the wireless controller. You should in theory be able to issue nslookup from even outside the network is external DNS can resolve it etc

"Would using the above 192.0.2.1 IP address in the certificate request create an issue also with the CA? Would it need to be a public IP we actually own/manage?"

"Alternatively to point 4 above would we just need the public DNS hostname in the certificate and not need to include the virtual interface IP address also as a SAN entry in the certificate for example?"

-There should be no need to use the virtual IP in the certificate request, you should only need the CN name which in this case will be the public DNS hostname you want to use and this should match what is set on the wireless controller as well as the entry in DNS . You also use a wildcard certificate as well instead of a specific CN name

For the certificate , you have two options to generate a CSR directly on the wireless controller or to use openSSL to generate a certificate. OpenSSL method is a bit more flexible as far as tranferring the cert between controllers in the future etc vs CSR which ties the cert only to that wireless controller. 

Reference guide below:
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html#anc0

Hope this helps ! 

View solution in original post

2 Replies 2

Go to solution
Prince.O
Spotlight
Spotlight

‎09-22-2022 09:55 AM - edited ‎09-22-2022 09:57 AM

Hello,

Please see answers to your queries inline below:

"Do we need to populate the DNS host name field (for example guest-wifi.mycompamny.com) "

- Yes, you will need to add a DNS hostname field on the controller to use which will resolve to the virtual IP. Without the DNS hostname , the controller will redirect the clients using the virtual ip specified which in this case is "192.0.2.1"

"Do we then need to ensure there is an entry in our public DNS for guest-wifi.mycompany.com?"

"Can we use the above 192.0.2.1 IP address in both the External DNS record for guest-wifi.mycompany.com or does it need to be a valid external IP address within public IP space we own/manage?"

- Yes, you will need to make sure the hostname you use can be properly resolved in DNS to the controller's virtual IP address. It is not recommended to use a routable ip address for this case, you should only use a non-routable IP address. During the web auth redirect flow, the client will reach out to DNS and it will resolve to the controller's VIP and as authentication traffic is flowing through the controller, it will receive the packet and respond when it receives a TCP SYN packet to the virtual IP address.

- One way to test DNS resolution is working as expected is to do an nslookup for the hostname you set and it should resolve to the virtual IP you have set on the wireless controller. You should in theory be able to issue nslookup from even outside the network is external DNS can resolve it etc

"Would using the above 192.0.2.1 IP address in the certificate request create an issue also with the CA? Would it need to be a public IP we actually own/manage?"

"Alternatively to point 4 above would we just need the public DNS hostname in the certificate and not need to include the virtual interface IP address also as a SAN entry in the certificate for example?"

-There should be no need to use the virtual IP in the certificate request, you should only need the CN name which in this case will be the public DNS hostname you want to use and this should match what is set on the wireless controller as well as the entry in DNS . You also use a wildcard certificate as well instead of a specific CN name

For the certificate , you have two options to generate a CSR directly on the wireless controller or to use openSSL to generate a certificate. OpenSSL method is a bit more flexible as far as tranferring the cert between controllers in the future etc vs CSR which ties the cert only to that wireless controller. 

Reference guide below:
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html#anc0

Hope this helps ! 

Go to solution
CSCO10576352
Level 1
Level 1
In response to Prince.O

‎09-23-2022 01:15 AM

Hi many thanks for you're response, I think that answers my questions and gives me enough to progress with the configuration.

Thanks also for the link, I will have a read through.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card