Unified Wireless and Certificates

Answered Question
Jun 1st, 2010
User Badges:

Hi Folks,


I'm currently deploying a Unified Wireless network and have run into a bit of an issue with Certificates - unfortunately they're not my specialist subject!


We're deploying two wireless networks (Guest and Corp)  Guest will tunnel back to a dedicated WLC and Corp will use H-REAP to break-out to the local LAN with PEAP authentication against AD (via Cisco ACS).  We'll have 7 WLCs (including the Guest Anchor) which will be managed by WCS.


The problems that I face with the certificates is that I'm not sure how many and where to place them - this is my understanding:

1 x cert on the ACS for the AD authentication

1x cert on the WCS for the webpage login (to stop the cert warning)

1x cert on the mobility anchor (to stop the cert warning for guest-access)


I'm assuming that since the other WLC's will not be logged onto they don't need a cert as it'll all be done via WCS and the guest 'web-auth' page is served from the mobility anchor rather than the 6 central WLC's?


Ideally we don't want cert warnings to appear as that will generate helpdesk calls from users, only for us to tell them 'just click ok and it'll be fine'


I'm currently trying to find out if we have an internal CA, which I can use to get certs for the WCS and ACS which will sort out the internal clients, then an 'external' cert for the guests.


Worst case, we'd need to get 'external' certs for all three, but I'm confused as to how that would work as our internal domain is a 'private' name [example.private] rather than a public .com  [example.com]


Any guideance that you can give on this would be great!


Thanks in advance


Kev

Correct Answer by Scott Fella about 7 years 1 month ago

Well if you have an internal CA and that is in the trusted root store on devices, you will not get that certificate error message.  If you have to go witha  3rd party certificate, then you can go the route you have:


1 x cert on the ACS for the AD authentication

1x cert on the WCS for the webpage login (to stop the cert warning)

1x cert on the mobility anchor (to stop the cert warning for guest-access)


Or if you want less certificates you can do this:


1 x cert on the ACS for the AD authentication and on the mobility anchor (to stop the cert warning for guest-access)

1x cert on the WCS for the webpage login (to stop the cert warning)


Just use a CN name that is general... like wifi.private or something like that.


Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Scott Fella Tue, 06/01/2010 - 04:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well if you have an internal CA and that is in the trusted root store on devices, you will not get that certificate error message.  If you have to go witha  3rd party certificate, then you can go the route you have:


1 x cert on the ACS for the AD authentication

1x cert on the WCS for the webpage login (to stop the cert warning)

1x cert on the mobility anchor (to stop the cert warning for guest-access)


Or if you want less certificates you can do this:


1 x cert on the ACS for the AD authentication and on the mobility anchor (to stop the cert warning for guest-access)

1x cert on the WCS for the webpage login (to stop the cert warning)


Just use a CN name that is general... like wifi.private or something like that.


Scott

kev-matthews Tue, 06/01/2010 - 07:37
User Badges:

Thanks Scott!


Hopefully I can get some internal certs - or some fairly cheap external ones (spend all the money on the gear, but quibble over a few hundred $$$ for some certs....)


Kev

Scott Fella Tue, 06/01/2010 - 07:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I have used RapidSSL since they are cheap and they issue root CA certs.  Others like GoDaddy are cheap, but are chained and you will have to combine them in order for them to work.  I have had co-workers had luck with chained certs, but my preference is unchained just because it is easier:)


Scott

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network