Cisco Nac guest server and WLC certificate client issue

Unanswered Question
Mar 16th, 2010
User Badges:

Hi all,


We've successfully managed to install our Cisco Nac guest server and a 4402 controller in DMZ. All working apart from RADIUS issues. However when a client connect to the wireless LAN they get certificate errors.


The client tries to go to a web page and are redirected to the following URL which is coming back from the controller: hxxps://1.1.1,1/login.html?redirect=cisco.com/. The browser displays and error "There is a problem with this website's security certificate". The client has to click on "Continue to this website (not recommended)" to continue.


The browser then displays the same certificate error but this time the URL is from our NAC guest server, again clicking on "Continue to this website (not recommended) to continue." solves the issue and the client is redirected to the splash page.


How can I ensure these 2 pages are not presented to the user ?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Tue, 03/16/2010 - 04:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml


Here is a link for the NGS:


http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ


The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

kevin.woodhouse Wed, 03/17/2010 - 08:53
User Badges:

Thanks for the info, I'll approach our purchasing team to find all the pricing info, can I just use http instead and not https on the NAC guest server and DMZ wlc or do I have to prevent a cert to the client, it doesn't have to be https, can I use http only, the broweser won't whine then.


Thanks

Scott Fella Wed, 03/17/2010 - 09:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Yeah you can disable https so you won't get the certificate issue if you want, but to spend a couple hundred bucks for a 3-5 year RapidSSL cert isn't bad either.

Actions

This Discussion

 

 

Trending Topics - Security & Network