Re: WLC 9800 L installed wildcard certificate and can no longer access - Page 2

TRNHelp · ‎04-30-2023

I have a WLC9800 L. I installed a wildcard cert and set a trust point. Now I cannot access the management via GUI. I can still access via putty using the IP. I followed the Cisco documentation for installing the cert but Haven't found anything on the GUI issue after installing a wildcard cert.

I would appreciate any help on this issue.

TRNnHelp · ‎05-02-2023

I attached a shot of what happens when I put in the trust point with cert and what happens if I use the self signed trust point

marce1000 · ‎05-02-2023

- No attachment(s) seen ,...

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

TRNnHelp · ‎05-02-2023

marce1000 · ‎05-02-2023

- This site can't be reached is a networking error , not related to the controller.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

TRNnHelp · ‎05-02-2023

I'm confused the only thing I change is the trust point to use the one that was created when i imported the certificate. So is the certificate causing the issue.

Rich R · ‎05-02-2023

If you've installed an invalid certificate then yes that could well be the cause of your problems!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Rich R · ‎05-02-2023

Well it might be but without any of the recommended troubleshooting (browser trace, packet capture, WLC debugs at a minimum) there's really no way of knowing.

I'm curious to know what kind of wildcard cert you think is going to work with https://192.0.2.1 ?
The only reliable way to get https to work without problems or security warnings is to use a fully qualified domain name, with matching certificate (issued by a public CA) and working DNS for the FQDN.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

TRNnHelp · ‎05-03-2023

This is the first Cisco Controller I am setting up new. I am using 192.0.2.1 per the instructions for the web auth global Parameter map that says to use a non route able IP. When I asked about using the internal certificate many in this community said I needed to use a third party Certificate. We had just renewed a wild card cert so I tried that. So not sure what I need to change to make this work, but I would appreciate any suggestions. Do I need to get a specific cert just for the WLC9800? Do I need to change The IP in the Global web auth Parameter?

Rich R · ‎05-04-2023

I think you're completely missing the point about how certificates work! It's not really anything to do with the WLC itself.
Yes, you should be using a public certificate, but I don't believe any public CA would ever issue a cert for an IP address like that.

Let's say you got a wildcard cert for *.mydomain.com then your WLC name would have to be something like mywlc.mydomain.com and you'd need to redirect the client to mywlc.mydomain.com and the client would have to be able to do a DNS lookup for mywlc.mydomain.com which would resolve to your IP address allowing them to load that page.

That way the domain name the browser uses matches the domain name in the certificate, which the browser trusts because it's issued by a public CA.
But I'm willing to bet there is nothing in that public cert which will match "192.0.2.1" so the browser rejects it - end of story - TLS connection cannot be established.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

TRNnHelp · ‎05-04-2023

I thought the configuration in the controller with the trustpoint and the global web auth would tie that together. So what needs to change to get this to work?

Rich R · ‎05-04-2023

Which part of my explanation I gave above did you not understand?
parameter-map type webauth global
type webauth
virtual-ip ipv4 <virtual IP> virtual-host <mywlc.mydomain.com>
webauth-bypass-intercept <your pre-auth ACL>
trustpoint <your trustpoint>
webauth-http-enable

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/web-authentication/b-configuring-web-based-authentication-on-cisco-catalyst-9800-series-controllers.html
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#toc-hId--337219929
https://thewlan.com.au/2020/07/14/9800-local-webauth-certs/
https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKEWN-2014.pdf
https://www.rogerperkin.co.uk/wireless/how-to-install-ssl-certificate-on-cisco-wlc-for-guest-access/

And also refer to Best Practice guide below.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

ciscoarri · ‎05-09-2023

Dear TRN, It works for me with (C9800-40, V17.6.4) older versions were a nightmare. Easiest way was by importing a PKCS12 wildcard Certificate including the CA Chain. You can do this by uploading your wildcard certificate via: Configuration->PKI Management-> Add Certificate -> Import PKCS12 Certificate.

After you are done you have to enable this trustpoint for AdminAccess. Here you just have to go to Administration-> HTTP/HTTPS/NETCONF/VTY. Under HTTP Trust Point Configuration select enable and then select the certificate you just uploaded.

caution: you might disconnect via GUI. Keep an SSH session open to revert if it went wrong. I had HTTP also shortly enabled just in case. The truspoint can be shown or set via SSH with the command: ip http secure-trustpoint *Trustpointname*.

A wildcard Certificate works only if you configurea a DNS Record with the management IP on your DNS Server like: https://wlc.domain.com so no IP.

HTH

TRNnHelp · ‎05-24-2023

Thank you I upgraded my controller to 17.6.5.22 and the certificate is now imported correctly but I'm confused about the last line I'm not sure how to create a DNS record without an IP. Anytime I have created a record it has corresponded to an IP. What type of record is it?

Rich R · ‎05-24-2023

The DNS record must point to the WLC virtual IP address so if you're using 192.0.2.1 then that'll be the IP that goes in there. Users will then access it using the DNS name not the IP address.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

TRNHelp · ‎05-25-2023

When I add that DNS record I get cant connect to server

WLC 9800 L installed wildcard certificate and can no longer access Gui