Cisco Nac guest server and WLC certificate client issue

Unanswered Question
Mar 16th, 2010

Hi all,

We've successfully managed to install our Cisco Nac guest server and a 4402 controller in DMZ. All working apart from RADIUS issues. However when a client connect to the wireless LAN they get certificate errors.

The client tries to go to a web page and are redirected to the following URL which is coming back from the controller: hxxps://1.1.1,1/login.html?redirect=cisco.com/. The browser displays and error "There is a problem with this website's security certificate". The client has to click on "Continue to this website (not recommended)" to continue.

The browser then displays the same certificate error but this time the URL is from our NAC guest server, again clicking on "Continue to this website (not recommended) to continue." solves the issue and the client is redirected to the splash page.

How can I ensure these 2 pages are not presented to the user ?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Tue, 03/16/2010 - 04:54

Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

Here is a link for the NGS:

http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ

The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

kevin.woodhouse Wed, 03/17/2010 - 08:53

Thanks for the info, I'll approach our purchasing team to find all the pricing info, can I just use http instead and not https on the NAC guest server and DMZ wlc or do I have to prevent a cert to the client, it doesn't have to be https, can I use http only, the broweser won't whine then.

Thanks

Scott Fella Wed, 03/17/2010 - 09:12

Yeah you can disable https so you won't get the certificate issue if you want, but to spend a couple hundred bucks for a 3-5 year RapidSSL cert isn't bad either.

Actions

This Discussion

 

 

Trending Topics - Security & Network