Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
3
Helpful
6
Replies

WLC9800 L Internal Certificate Info

TRNnHelp
Level 1
Level 1

‎03-08-2023 08:06 AM

I have Guest WIFI configured on the WLC9800 L and would like to generate an internal certificate to get rid of the certificate error I get when I connect to our guest wifi. When I click add certificate I am not sure if I should put in 192.0.2.1 for the domain name or if there is an internal default on the 9800 that I should use for that field.

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎03-08-2023 08:23 AM

domain name always prefered. also guest i suggest to use Public Certificate (since most of the device BYOD, so they give always error)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TRNnHelp
Level 1
Level 1
In response to balaji.bandi

‎03-08-2023 09:06 AM

Does it make a difference if our Guest wifi is on a dmz and using public DNS (google)
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to TRNnHelp

‎03-08-2023 10:17 AM

Nope. You need to purchase a trusted certificate or else disable https and use http. Not really recommended.
-Scott
*** Please rate helpful posts ***

balaji.bandi
Hall of Fame
Hall of Fame
In response to TRNnHelp

‎03-08-2023 10:45 AM

DMZ is always Public facing, so i would suggest always use Public Cert.

example guide : @Scott Fella refering.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Scott Fella
Hall of Fame
Hall of Fame

‎03-08-2023 09:08 AM

Just to add, with guest devices, they don’t trust internal CA’s that are not public. You can validate this by reviewing the device trusted CA store. Like what @balaji.bandi mentioned, you need to purchase/obtain a trusted certificate from one of the vendors on the list. Most public cert vendors are trusted. That is the only way to not have the certificate error when users are prompted with the portal. 
There are guides out there also, search “Cisco 9800 3rd party certificate install”.

-Scott
*** Please rate helpful posts ***
0 Helpful

Rich R
VIP
VIP

‎03-10-2023 09:32 AM

And the cert must match the fully qualified domain name, and that FQDN must resolve to the virtual IP in DNS.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card