04-30-2023 06:13 AM
I have a WLC9800 L. I installed a wildcard cert and set a trust point. Now I cannot access the management via GUI. I can still access via putty using the IP. I followed the Cisco documentation for installing the cert but Haven't found anything on the GUI issue after installing a wildcard cert.
I would appreciate any help on this issue.
05-02-2023 09:24 AM
I attached a shot of what happens when I put in the trust point with cert and what happens if I use the self signed trust point
05-02-2023 09:35 AM
- No attachment(s) seen ,...
M.
05-02-2023 09:59 AM
05-02-2023 10:23 AM
- This site can't be reached is a networking error , not related to the controller.
M.
05-02-2023 04:10 PM
I'm confused the only thing I change is the trust point to use the one that was created when i imported the certificate. So is the certificate causing the issue.
05-02-2023 04:20 PM
If you've installed an invalid certificate then yes that could well be the cause of your problems!
05-02-2023 04:19 PM
Well it might be but without any of the recommended troubleshooting (browser trace, packet capture, WLC debugs at a minimum) there's really no way of knowing.
I'm curious to know what kind of wildcard cert you think is going to work with https://192.0.2.1 ?
The only reliable way to get https to work without problems or security warnings is to use a fully qualified domain name, with matching certificate (issued by a public CA) and working DNS for the FQDN.
05-03-2023 10:06 AM
This is the first Cisco Controller I am setting up new. I am using 192.0.2.1 per the instructions for the web auth global Parameter map that says to use a non route able IP. When I asked about using the internal certificate many in this community said I needed to use a third party Certificate. We had just renewed a wild card cert so I tried that. So not sure what I need to change to make this work, but I would appreciate any suggestions. Do I need to get a specific cert just for the WLC9800? Do I need to change The IP in the Global web auth Parameter?
05-04-2023 02:19 AM
I think you're completely missing the point about how certificates work! It's not really anything to do with the WLC itself.
Yes, you should be using a public certificate, but I don't believe any public CA would ever issue a cert for an IP address like that.
Let's say you got a wildcard cert for *.mydomain.com then your WLC name would have to be something like mywlc.mydomain.com and you'd need to redirect the client to mywlc.mydomain.com and the client would have to be able to do a DNS lookup for mywlc.mydomain.com which would resolve to your IP address allowing them to load that page.
That way the domain name the browser uses matches the domain name in the certificate, which the browser trusts because it's issued by a public CA.
But I'm willing to bet there is nothing in that public cert which will match "192.0.2.1" so the browser rejects it - end of story - TLS connection cannot be established.
05-04-2023 09:01 AM
I thought the configuration in the controller with the trustpoint and the global web auth would tie that together. So what needs to change to get this to work?
05-04-2023 09:25 AM - edited 05-04-2023 09:37 AM
Which part of my explanation I gave above did you not understand?
parameter-map type webauth global
type webauth
virtual-ip ipv4 <virtual IP> virtual-host <mywlc.mydomain.com>
webauth-bypass-intercept <your pre-auth ACL>
trustpoint <your trustpoint>
webauth-http-enable
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/web-authentication/b-configuring-web-based-authentication-on-cisco-catalyst-9800-series-controllers.html
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#toc-hId--337219929
https://thewlan.com.au/2020/07/14/9800-local-webauth-certs/
https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKEWN-2014.pdf
https://www.rogerperkin.co.uk/wireless/how-to-install-ssl-certificate-on-cisco-wlc-for-guest-access/
And also refer to Best Practice guide below.
05-09-2023 02:22 AM
Dear TRN, It works for me with (C9800-40, V17.6.4) older versions were a nightmare. Easiest way was by importing a PKCS12 wildcard Certificate including the CA Chain. You can do this by uploading your wildcard certificate via: Configuration->PKI Management-> Add Certificate -> Import PKCS12 Certificate.
After you are done you have to enable this trustpoint for AdminAccess. Here you just have to go to Administration-> HTTP/HTTPS/NETCONF/VTY. Under HTTP Trust Point Configuration select enable and then select the certificate you just uploaded.
caution: you might disconnect via GUI. Keep an SSH session open to revert if it went wrong. I had HTTP also shortly enabled just in case. The truspoint can be shown or set via SSH with the command: ip http secure-trustpoint *Trustpointname*.
A wildcard Certificate works only if you configurea a DNS Record with the management IP on your DNS Server like: https://wlc.domain.com so no IP.
HTH
05-24-2023 07:00 AM
Thank you I upgraded my controller to 17.6.5.22 and the certificate is now imported correctly but I'm confused about the last line I'm not sure how to create a DNS record without an IP. Anytime I have created a record it has corresponded to an IP. What type of record is it?
05-24-2023 07:32 AM
The DNS record must point to the WLC virtual IP address so if you're using 192.0.2.1 then that'll be the IP that goes in there. Users will then access it using the DNS name not the IP address.
05-25-2023 09:10 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide