Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2808
Views
0
Helpful
4
Replies

WLC 9800 is presenting its own certificate

Go to solution
nino1
Level 1
Level 1

‎06-30-2021 12:12 AM - edited ‎07-02-2021 09:37 PM

I am having a strange issue with WLC 9800 17.3 configured for guest wifi access in CWA scenario. It seems that whenever user is trying to access web page WLC is presenting its own certificate instead of redirecting to url provided by ISE. Any idea what could be causing this

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to nino1

‎06-30-2021 05:21 AM

Personally yes i guess so as long as working, just monitor - test it, take feedback from users (is the best ) to see all working as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-30-2021 01:57 AM

we are not sure how the configuration done at your end : best is i suggest look at below document provide more information, how the redirecting taking place :

 

 

Look at the below document :

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213923-configure-a-web-authentication-ssid-on-c.html

 

 

look at the thread :

 

https://community.cisco.com/t5/wireless/migrating-to-cisco-9800-certificate-requirements-when-using-ise/m-p/4285926

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
nino1
Level 1
Level 1
In response to balaji.bandi

‎06-30-2021 04:18 AM

Hi Bandi,

it seems like we found the issue. This is Foreign/Anchor setup with CWA
used to authentication. What we found out was that we had
ip http server (on Foreign)
and
no ip http server (on Anchor)
we are running 17.3.1
What fixed it was doing it the other way arround

no ip http server (Foreign)
ip http server (Anchor)

and it started working. Now, I am not sure does this make sense?
The problem was seen as after MAB phase ISE would return ACL + redirection
URL to Foreign WLC but user would never be redirected to this url for some
reason
After the change explained above the things started working

Is this expected behavior?

Regards
Nino

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to nino1

‎06-30-2021 05:21 AM

Personally yes i guess so as long as working, just monitor - test it, take feedback from users (is the best ) to see all working as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Grendizer
Cisco Employee
Cisco Employee
In response to nino1

‎07-09-2021 10:39 AM

you can keep (no ip http server) on both WLCs Foreign and Anchor but you need to do the below:

conf t
parameter-map type webauth global
webauth-http-enable

Starting from 17.3.1 there is new cli commands to enable/disable http/https on the WebAuth, this was listed here in the release notes https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/release-notes/rn-17-3-9800.html

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card