WLC Web Auth Cert. and DNS for virtual interface.

Unanswered Question
Oct 10th, 2011

Hi All,

I need a Web Authentication certificate for my Guest Anchor controller but I think I've hit a snag. The doc:


says at step 3 of 'Generate a CSR':

"The most important information that you need to provide correctly is the Common Name. Ensure that the host name that is used to create the certificate (Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP on the WLC and that the name actually exists in the DNS as well."

Which DNS service do we add the new host name and IP address to? It can't be internal as the guest users are segregated from the corporate network and it can't be on the Internet as the address of the virtual interface of the WLC is bound to clash with something on the Internet.

How do I get around this problem?

Many Thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (13 ratings)
Stephen Rodriguez Mon, 10/10/2011 - 10:29

You are quite correct.  For this to work, you would need to use your own DNS Servers.  you could either pinhole the firewall to allow the guests to use it, or some companies have their own external DNS servers and point the clients there.

Now, if you have space, you could use an external IP on the virtual interface.  I've seen customers do this, when they don't want to pinhole, or don't have an external DNS server to use.



Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

George Stefanick Mon, 10/10/2011 - 10:49

Well here is a little spin on the DNS and outside DNS servers. If you use, and a user went to that SPECIFIC website it wouldn't work. Why, because is a controller interface (virtual) and it will hit the virtual interface first and go no where else. 

Best pratice is to use a non routed IP address. Like a 239 ....

You can also use public DNS servers and not your own. Just publish (example) guest.yourcompany.com to and you can point all your users to public DNS servers to resolve guest.yourcompany.com

This is what a lot of customers do ...

Stephen Rodriguez Mon, 10/10/2011 - 11:03

I tend to shy away from that one.  Some providers won't publish it, and IANA gave the 1.x.x.x/8 to a company, APNIC ?.  So it could cause issues down the road as well.

George Stefanick Mon, 10/10/2011 - 12:04

Most customers dont want to poke a hole and or give guest access to their DNS for variuos reasons. Ive done 20+ guest with outside DNS published and never had an issue.

But, I agree if you use and you went to that specific site it wouldnt work. But thats 1 site out of miliions ... Hence the 239 address or some other unrouted address.

BTW -- When you going to be back in town ?

scottwilliamson Tue, 10/11/2011 - 01:22

Hi Gentlemen,

Thanks for your replies, really helpful and interesting too.

I am indeed using, on all of our WLC virtual interfaces, in fact. If I changed the address to a suitable 239 do I have to make it the same on the other controllers or can I leave them as as they have a different mobility group name?



George Stefanick Tue, 10/11/2011 - 05:21

Scott, its required. If you have WLCs in the same mob group they all must have the same virtual ip address.

scottwilliamson Tue, 10/11/2011 - 06:12

I was afraid you'd say that. I was hoping I could get away with just changing the anchor as all our foreign controllers are in a group called 'mobility' and the anchor is in a group name of 'anchor', but of course they are all in the same single mobility group together (I hope that is clear).

Looks like I have a lot of changes to do :-)



George Stefanick Tue, 10/11/2011 - 06:53

Yea, sorry to break the news. Anyway some will argue that shoudnt be used and they have a point. But it will only impact users over the wifi if they hit that site.

scottwilliamson Fri, 10/14/2011 - 02:16

Hi Folks,

I'm having trouble setting the new virtual interface address; when I try to configure it as the WLC responds with

'Unable to set the IP address on the interface.'

I've tried some other addresses and I get various results:

(Cisco Controller) >config interface address virtual

Please reset the system for the change to take effect.               (so this is a valid/acceptable address for the WLC)

(Cisco Controller) >config interface address virtual

Unable to set the IP address on the interface.                              (doesn't like this one)

Seems it doesn't like the non routable IP addresses - I've tried it on a spare 5508, when you look at the interface summary the new address is there but rebooting makes it revert to the previously configured address and, yes, I did save the config.

any suggestions?



scottwilliamson Tue, 10/25/2011 - 00:55

Hi Again,

To add to the mix - I had an opportunity to try changing the virtual interface IP to on a 3750 WLC. It gave me the response: 'Unable to set the IP address on the interface', but rebooting it seems successful, ie the new address is on the VI.

Any thoughts?



George Stefanick Tue, 10/25/2011 - 10:00

It would appear with the new rev I can not add 239 as a virtual address either. You will need to pick an IP address that isnt routable. You can use, but if someone tries to hit the Internet net site they will hit your virtual address.

or you can use say a 192 address, so long as its not on your network and in use.

Make sense?

Stephen Rodriguez Tue, 10/25/2011 - 10:16

which actually makes sense, as it's a multicast address.

you might be able to set a, as it's reserved for documentation.




Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

George Stefanick Tue, 10/25/2011 - 10:18

Funny, you mentioned --- Thats what Cisco Advance Services uses on their deployments.

George Stefanick Tue, 10/25/2011 - 10:19
Reserved address blocks
CIDR address block Description Reference network (only valid as source address)RFC 1700 networkRFC 1918 5735 3927 networkRFC 1918 (IANA)RFC 5735, Documentation and example codeRFC 5735 to IPv4 relayRFC 3068 networkRFC 1918 benchmark testsRFC 2544, Documentation and examplesRFC 5737, Documentation and examplesRFC 5737 (former Class D network)RFC 3171 (former Class E network)RFC 1700 919
Stephen Rodriguez Tue, 10/25/2011 - 10:21

One of the NCE in the WWWP group, is/was trying to get WNBU to make this the default address, then link a Cisco cert for the webauth.  That way it web-auth worked out of the box without the invalid cert warning.

And it makes sense, as a client should never try to route to that address.

George Stefanick Tue, 10/25/2011 - 10:23

That would make sense and allow for easier deployments.. Will that ever happen you think ?

goudier2001 Tue, 03/13/2012 - 16:03

Hi Guys,

Interesting Post. I posted a similar question recently. I did try and ask our ISP to add a DNS entry with the ip address but they would not wear it.

What solution did you use in the end up? Did you use an address from or for the virtual address and did the ISP accept this?


This Discussion

Related Content



Trending Topics - Security & Network