Cisco WLC 5508 Web Auth DNS Issue

Unanswered Question
Mar 9th, 2012

We have recently implemented a 3rd party certificate for the guest access, currently have a WLC 5508 that has a Vlan directly connected to our DMZ firewall and NATed out. The problem is when I have installed a 3rd party certificate as per the following link http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html#comment16107741

The DNS host name that I entered into the DNS Host name section is not resolved. If I remove the DNS name and leave the virtual ip address 1.1.1.1 then it works fine but just comes back with untrusted message.

Any suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.7 (11 ratings)
Scott Fella Fri, 03/09/2012 - 08:08

The DNS that the clients receive from dhcp, needs to be able to resolve the FQDN. Since it is 1.1.1.1, most likely you will need to resolve that to your internal DNS and open the FW from the guest subnet to the internal DNS server. DHCP will also need that DNS server added to the dhcp scope.

Thanks,

Scott Fella

Sent from my iPhone

goudier2001 Fri, 03/09/2012 - 08:20

Hi Scott,

The dhcp scope has the google dns addresses 8.8.8.8 & 8.8.4.4 because the guest access is directly connected to the DMZ and therefore does not touch our internal network. I would prefer not to use our internal DNS servers to resolve this address. Can this be done by the external DNS instead?

Stephen Rodriguez Fri, 03/09/2012 - 08:24

yes and no.  you can use an external DNS server for and have the resolution of the virtual IP work, so long as the DNS provider is willing to enter an A record for your virtual IP - virtual interface name.

Otherwise, you would need to use a server that is under your administrative control and add that A record.

Steve    

blakekrone Fri, 03/09/2012 - 08:24

Just use your standard domain DNS registrar if you have one and create an entry for your hostname and have it resolve to 1.1.1.1

For example I use GoDaddy at home, I could create guest.fqdn.com and have it resolve to 1.1.1.1, seen as it is a public DNS entry it will resolve using Google.

Scott Fella Fri, 03/09/2012 - 08:30

Can this be done by the external DNS instead?

Well the others have posted ways to get this to work and it really depends if they allow you to add 1.1.1.1  If you have to call your ISP, then i would say that its 50/50 that they will add an ip address that deosn't belong to you as a DNS entry.  You can always then use one of your public address and use that for your VIP.

Stephen Rodriguez Fri, 03/09/2012 - 08:48

well, the 1.x.x.x was given out by IANA.  So if you're not the owner and you put that request in, there could be repercussions for using someone elses IP space.

blakekrone Fri, 03/09/2012 - 08:54

Good point Steve, that's why I've started to use a standard private address instead of 1.1.1.1

I've never had an issue trying to register any IP with the DNS servers.

Scott Fella Fri, 03/09/2012 - 08:59

For me it was like most ISP will not add an A record with a private address or even an address that wasn't owned by my client.  I only had a few ISP allow it, but using your public address seemed easier in most cases.

George Stefanick Fri, 03/09/2012 - 09:21

Richard,

Nice link, my80211.com. What do you think of the site ?

As for the 1.1.1.1. If you use 1.1.1.1 as your virtual, the only problem I see you having is if you actually wanted to go to that site which used 1.1.1.1, you would hit the WLC virtual interface. So, with that being said, who really cares.

Ive been putting A records on the ISP for years and havent had any issues. In fact, just did another one last month. Although not surpirsed to hear the challenges. Also its like a revers look up. If you try and resolve 1.1.1.1 it will go to the legit owner. but in you try to resolve say guest.tmhs.org it will go to 1.1.1.1. 

You have to resolve the 1.1.1.1. Either inside or other wise.

goudier2001 Fri, 03/09/2012 - 10:07

Nice Webpage. Actually used the 3rd party certificate info to implement the web auth.

As I'm unsure if the ISP will provide a DNS record for 1.1.1.1 to guest.abccompany.com, is an option to use one of the public addresses we have for the DNS record and change the virtual interface to reflect this as well or even nat the public to the 1.1.1.1 address?

George Stefanick Sun, 03/11/2012 - 10:21

Excellent.. I work pretty hard to keep it updated and relevant. Its always nice to see folks benefit from the material. I dont see a problem with it at the moment (thinking). But if your clients have to hit that address for anything they will hit the virtual interface of the WLC. Best pratice, should be a non routed address.

Can you poke a hole to your internal DNS server and add the record there or put a DNS in the DMZ for this purpose?

Stephen Rodriguez Sun, 03/11/2012 - 10:34

that would be one option yes. But when you put the external address on the virtual interface you need to change it on all of your other WLC as well.

I don't believe you can NAT the address as the WLC would show the 1.1.1.1 but the DNS would resolve to the outside. But this is my thought u don't know for sure

Steve

Sent from Cisco Technical Support iPhone App

goudier2001 Wed, 03/14/2012 - 12:02

Ok Guys, no surprise but the ISP will not allow a DNS entry for our guest access web auth. sounds crazy but I guess the only options left are to remove the DNS name from the WLC and live with the cert error or use the internal DNS server.

Have you Guys had ISP's allow DNS entries, if so which address did they accept?

George Stefanick Wed, 03/14/2012 - 12:17

I never asked the ISP, we just published under (the customers domain). I mean how can they tell you no. If you own myown.network.com you can plublish what you want and how you want it ..

I can give you a private like of more than a dozen XXX.guest.com networks that Ive done this for.

George Stefanick Wed, 03/14/2012 - 12:18

But your not trying to resolve 1.1.1.1 .. You are trying to resolve your own domain  (my.network.com).

goudier2001 Wed, 03/14/2012 - 15:46

I understand what you are saying regarding the domain name, but the ISP is not comfortable adding 1.1.1.1 against our guest.company.com address. This is partly due to probably me not explaining it correctly to them and them not understanding what I'm trying to achieve. See below their reply to my request.

Our Hostmasters have reviewed your request and confirm that as you are

attempting to establish Wireless / Internet conectivity, then publishing any

public DNS information will not be valid:

1)Customers attempting to connect will not be able to query any host records.

2)If the public entry was added into DNS and pointed to the Private IP

address then it would not be routable.

All the configuration needs to be carried out locally at your site

cthrasher Thu, 03/15/2012 - 11:53

Hi Richard,

Have you found a solution? I have the very same issue. I am using 192.168.4.x ip address. I've added an A record to my external dns servers. I added the ip address to the internal dns server. I am still getting

'can't find server' when client gets redirect page. Because the 192.168.4.x cannot resolve to fqdn i've put on virtual ip dns hostname.

George Stefanick Thu, 03/15/2012 - 11:59

CT,

1) What did you add to the external DNS server (ip address and name)

2) What do you mean you added the IP address of your internal DNS server

     * Are your guest getting a OUTSIDE DNS server or a INSIDE DNS server

3) What is 192.168.4.x ... Is that your VIRTUAL Address?

cthrasher Thu, 03/15/2012 - 13:22

Hi George

I added the fqdn of the virtual IP of the WLC to my internal dns server. Which is pointless, because the clients can't even get to that server.

The external dns, we use opendns and we just added an A record for the host.company.com which corresponds to 192.168.4.x (my virtual address)

Wanted to answer your question, my guests are getting OUTSIDE dns servers.....

blakekrone Thu, 03/15/2012 - 13:23

What is the actual domain name? If we know what you registered we can tell you if it resolves properly.

cthrasher Thu, 03/15/2012 - 15:10

wifi.specialized.com, it's not resolving for me on my guest lan, as a client,  I do get an ip address in the subnet, because only dhcp and dns are allowed before authentication. BTW, I've got a workaround : browse to http://{virtualIPaddress}/login.html and guests can get the splash screen. But to add insult to injury, the warning message still pops up to say cert is untrusted. Been working on this 2 weeks, awesome. All I wanted was to add a conveninence for my guest wifi users, so they could access a trusted site. What a pain.

blakekrone Thu, 03/15/2012 - 16:04

That resolves for me:

Non-authoritative answer:

Name:    wifi.specialized.com

Address: 192.168.4.200

I'm just using whatever this hotel uses that I'm at.

You said you are using OpenDNS right? Is this what your guests are getting for their DNS servers? If so I would as a test switch to 8.4.4.4 for example and give that a shot. Might be worth a try to see if OpenDNS is doing something screwy.

goudier2001 Thu, 03/15/2012 - 16:13

Cthrasher,

I feel ur pain, u are actually further forward then me. I approached my ISP about implementing a DNS A record and they said no.

I checked ur domain and it's not resolving. Has it definitely been added?

cthrasher Thu, 03/15/2012 - 16:23

Hi everybody! Wow, we got it working. What was going on was our DNS provider, which is managed by us, here in house (via a webpage) has a checkbox to block all internal IP addresses. Finally got my boss to think a little harder about the dns and he remembered that 'feature' of the DNS service. Soon as he unchecked 'block private addresses' it came to work just fine. We are concerned though, that we can't just add one private ip address and will look into that. Thanks all for your input!

goudier2001 Wed, 03/21/2012 - 04:35

Hi Guys,

I would like to thank everyone who replied with some good points. My ISP eventually gave in and provided the external DNS A record I request and as a result the guest access is working like a sweety. No errors with extenal certificate either.

Thanks All.

edondurguti Tue, 08/07/2012 - 15:13

Guys,

Eventhought i installed the certs and put a hostname guest.mydomain.com on the virtual interface, guest still get the 1.1.1.1 page instead of a domain?

anyone?

edondurguti Wed, 08/08/2012 - 06:05

Since my domain is a valid subdomain if I only put guest.mydomain.com record to resolve to 1.1.1.1 do u think it would work? ( I am definitely not able to mess with DNS cuz for 100 sites guest ip addresses are going to be handed out by DSL Routers).

What if i use a public ip address for virtual interface, one of my public ip addresses and set guest.mydomain.com to point to that.

Scott Fella Wed, 08/08/2012 - 06:23

You can use a Public address if you want but I think you need to still have a reverse lookup.

Sent from Cisco Technical Support iPhone App

edondurguti Wed, 08/08/2012 - 21:52

Ive tried setting jt to my home ip and it worked.

So I entered 72.x.x.x as virtual interfCes ip and i entered my real domain as hostname that really resolves to my ip and it worked. Ofcourse it was not validated with the cert.

Sent from Cisco Technical Support iPhone App

Actions

Login or Register to take actions

This Discussion

Posted March 9, 2012 at 8:04 AM
Stats:
Replies:34 Avg. Rating:4.7
Views:7175 Votes:0
Shares:0

Related Content

Discussions Leaderboard