certificate issue on guest anchor controller

Answered Question
Sep 23rd, 2010
User Badges:

hi all


we've got an anchor controller inside a DMZ. the standart GW for the clients is the virtual interface (in this case 1.1.1.1). because it's a https-site the clients have to accept the certificate manually (we all know this problems..).


I work with the internal DHCP scope and also give them some DNS servers from the Internet.


any idea how to get this certificate installed? I've read that the virtual IP (1.1.1.1) got to have a DNS entry (in this case on the internet DNS). That's pretty bad, because we have several anchors in several countrys, all working with 1.1.1.1. And also, is this virtual IP reachable from the internet to perform a DNS-lookup?


Would be great if someone has an idea or already made some experiences.


TIA


thom

Correct Answer by Kayle Miller about 6 years 7 months ago

Thom,


     The reason the Virtual Interface needs an IP address is because a certificate can't be issued to an IP Address, it's issued to the FQDN. I have a client that is international where I set this up and I had to get their external DNS host (since they didn't have a DNS server in their DMZ) to add a host entry for each of the controllers.  for example: WiSM1a.someplace.com  was pointed to 1.1.1.1, WiSM1b.someplace.com  was pointed to 1.1.1.1, etc.. you get the general idea. Then you need to take the actual device certificate, and the intermediate chain certificate and combine them into the WLC's required Certificate Package.  This issue is alot easier to resolve if you have a DNS server in your DMZ that you control.


Hope this helps.. Please rate useful posts.


Thanks,


Kayle

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
George Stefanick Thu, 09/23/2010 - 10:18
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Can you post a brief topology of how your WLAN is designed.

Correct Answer
Kayle Miller Thu, 09/23/2010 - 11:20
User Badges:
  • Silver, 250 points or more

Thom,


     The reason the Virtual Interface needs an IP address is because a certificate can't be issued to an IP Address, it's issued to the FQDN. I have a client that is international where I set this up and I had to get their external DNS host (since they didn't have a DNS server in their DMZ) to add a host entry for each of the controllers.  for example: WiSM1a.someplace.com  was pointed to 1.1.1.1, WiSM1b.someplace.com  was pointed to 1.1.1.1, etc.. you get the general idea. Then you need to take the actual device certificate, and the intermediate chain certificate and combine them into the WLC's required Certificate Package.  This issue is alot easier to resolve if you have a DNS server in your DMZ that you control.


Hope this helps.. Please rate useful posts.


Thanks,


Kayle

thomas.monn Thu, 09/23/2010 - 23:39
User Badges:

thanks kayle! you've just made my day.


unfortunately we can't use the DNS in the DMZ (political reasons) therefore I have to get in touch with our provider.


thanks again, I'll try it this way.


cheers.

thom.

Actions

This Discussion