I have configured a ssid to use webaut, and an interface that directs an IPS. When a signature client to the SSID Guest shows a certificate error (unsecured connection).

Certificate was uploaded but when connecting to the SSID does not address me to the DNS host that was configured in the Virtual ip (shows name resolution error or asks me to validate if the site is active).

The next step i use to upload the centificate

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

When making a connection, I open the internet browser and in the browser it shows the name that you enter in the virtual interface indicating that it validates if the host or site is active

As you can see, I do not reach the part where you request access credentials.

Thank for check my issue.

Regards.

Erik H.

Are you using internal or external web authentication ?

-If I helped you somehow, please, rate it as useful.-

Authentication is local, that is, I register a user and password in the WLC with a certain time, do you mean that?

If you are using internal web auth, you can choose from this three option for certificate error:

1.  Leave it as is and let the users know that seeing that is OK

2.  Disable HTTPs on the controller - almost no one picks this b/c it is a global change so even admin logins will be unencrypted.

3.  Install a valid root or chained certificate on the controller from an Internet CA:

If I understood you right, you are trying to perform the third option, right? 

Take a look on this link. This might help you.

https://supportforums.cisco.com/t5/wireless-mobility-documents/how-make-the-web-auth-certificate-warning-go-away/ta-p/3119301

-If I helped you somehow, please, rate it as useful.-

In fact I'm just in the third option but it is not clear to me why external users to my network will be configured a private DNS; that is to say that they have scope to my internal DNS.
The address for this SSID is from an IPS only have to tell my provider to assign private DNS? Or would I have to perform routing so they can see my internet dns?
This part I do not assimilate very well maybe you can guide me.

Thanks for the follow up.

Regards
Erik H

I think this is explained on that link:

"If you do not wish for the guest users to have access to your internal DNS servers, you could have a Linux or other free DNS server on the guest network and have the guest clients use that for DNS.  All that server would require is the A record for the virtual interface and then have it point to your ISP or Internet DNS servers for everything else."

I don't believe your ISP will accept to put an entry on their DNS pointing to 1.1.1.1 as this IP is actually a valid IP address.

-If I helped you somehow, please, rate it as useful.-

Yeah. The question is allow users to use or not your internal DNS.

 You can even put DNS fqdn on the virtual interface.

-If I helped you somehow, please, rate it as useful.-

Thanks for the follow up,
At this moment I have managed routing between the address assigned to the SSID Guest (internet Free IPS) with the internal DNS and I have noticed that only the warnig Certificate is not present in the company's computers; but in external devices I still do not have success.

I believe that the company where I have sent to sign the generated certificate is not so global (recognized worldwide) I may have to sign again certified with godaddy and I think it may include more devices; that is, have your certificate already on computers such as ipad, iphones, android, laptop etc etc. or else I think you would have to install the certificate in each device that is required to connect to my guest network which does not seem functional for my.

This is the status I have so far.

When connecting to the guest network, it immediately opens the browser with the common name used when generating the certificate, where it requests dredencies without showing me the waring certificate; but only in teams that are from the company and in devices external to the company, they are showing the same certificate error.

I appreciate the follow-up.
Regards