applying ssl certificates to the 4404 controller

Unanswered Question
Apr 24th, 2009

How is this done? We bought a certificate file and have 2 4404 controllers.

Where do I go to apply this and how do I apply this?

Also will my single cert work for 2 controllers?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Sat, 04/25/2009 - 05:51

Is this cert for guest or for management. If it is for guest, then you can use it on multiple wlc, if it is for management, then no. The reason is that when you generated the CSR, you specified a CN which you will resolve via DNS. For management, you have different ip address for management, so you will need one per wlc. For guest webauth, you use the VIP to resovle the CN so you can use that on multiple wlc's.

To install the cert for management, you would click on the management tab on the wlc and then on HTTP and check Download SSL Certificate, enter the info and hit apply.

To install the cert for webauth, you would click on Security tab, then Web Auth then certificate.Fill in the info and hit enter.

Hope this helps.

Starthorn Tue, 04/28/2009 - 03:13

When you say Guest and Management do you mean an interface or do you mean a type of cert?

Same for Guest..I know you can make local accounts on the controllers that are called guest accounts.

Here is what we are trying to do. When students connect to the student SSID and open up a web page they are directed to web page to login (webauth) with LDAP User name and pass. Before they get to the webaut page their computer tells them that we don't have a cert and asks if they should trust the web page etc. We don't want this

Scott Fella Tue, 04/28/2009 - 04:04

Then you need to generate and load an ssl cert for webauth. I use RapidSSL since they give you a root ca certificate and not a chained cert.... soo much eaiser. Also chained is only supported on the 5.1.151.0 and later code. You need to generate a CSR by following this link. Again, get a RappidSSL cert and also you will need to download Open SSL to generate the CSR. Then upload that to your WLC. The CN name you will have to resolve in DNS to get rid of that error.

On the WLC, you need to enter that DNS CN in the VIP interface. There is a spot for you to put that in. You will need to reboot your wlc after you add the CN to the VIP interface in order for it to take place.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

Win32 OpenSSL:

http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8k.exe

Starthorn Tue, 04/28/2009 - 04:18

We already have one from VeriSign. We already downloaded the cert file.

So would this go under the security heading or the managment heading?

Scott Fella Tue, 04/28/2009 - 04:42

VeriSign is a chained cert, so you need 5.1.151 code on the WLC. You would go under the Security tab and then there is a WebAuth tab on the left side. Check the box and fill out the info and hit apply. You will need to reboot the wlc and don't forget to add the CN to the VIP interface.

Starthorn Tue, 04/28/2009 - 04:48

Thanks for all the help. I have another question though.

Can we use a private IP like 172.16.1.2 for the Cert or does it have to be external ip ?

Scott Fella Tue, 04/28/2009 - 05:07

You can use a private ip, but the VIP should not be on any subnet you are using on your network. What ever the clients are using as a dns obtained from dhcp, you will need that dns server to resolve that ip address.

Starthorn Wed, 04/29/2009 - 06:29

Well, I downloaded open SSL and im ready to send in my CSR. I'm getting ready to do that. I want to make sure I have the right answers in front of me so I don't void the cert.

Actions

This Discussion

 

 

Trending Topics - Security & Network