Can't get rid of certificate security error on Web-Passthrough

Unanswered Question
Sep 7th, 2012

Hi all,

I've got a very frustrating problem with the security cert for my Guest internet Web Auth.

I've obtained a 3rd party certificate from Verisign for my WLC DNS host name by following Cisco's guides for both Chained and Unchained certificates. I have altered the Virtual IP address to a spare public IP address that we own so have created a genuine A-record and it has filtered through DNS and resolves. My DNS is pointed at Google

Yet I still receive the cert error on redirect.

Any ideas?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Fri, 09/07/2012 - 05:03

The DNS the guest client obtains from DNS is what? Doesn't the client does an nslookup to that FQDN, does it resolve to your VIP? I guess I'm wondering where did you create the a record at... An external dns that the clients use.

Sent from Cisco Technical Support iPhone App

wesdouglas Fri, 09/07/2012 - 05:24

The guest client uses Google's for DNS.

The internet connection we have on site is with a major provider and we have DNS servers from them. The a-record was created on these and has filtered through to Google's as I have tested pinging the FQDN from a totally separate machine using for DNS.

An nslookup on the domain name does come back with teh correct VIP yes.

The guest network goes out the same internet connection as mentioned above only all traffic is PAT'd behind one of our public addresses and the Guest traffic is segragated on a different firewall interface.


Stephen Rodriguez Fri, 09/07/2012 - 05:51

Whom did you get the cert from? I know that Go Daddy isn't in the default root certs list in all OS.


Sent from Cisco Technical Support iPhone App

wesdouglas Fri, 09/07/2012 - 06:18

It's a Verisign cert so should be in the root.

Only one query I have about the cert is that when I created the CSR I put in the State as 'SCOTLAND' yet my company's admin who actually bought the cert on my behalf entered the state as 'ABERDEENSHIRE'. I've spoken to Verisign and they said that this doesn't matter as the cert is only checked against the Domain name. My knowledge of certs is limited so I'm going on what they say.

Stephen Rodriguez Fri, 09/07/2012 - 08:32

that should be correct.  So long as the FQDN resolves to the IP of the VIP it should work.  On a machine that is having the issue, pull up the Certificate MMC, and make sure that the Root cert is still valid.

Other than that, i can't think what would be going wrong.  Unless you hadn't rebooted after putting the FQDN on teh VIP.


Please remember to rate useful posts, and mark questions as answered

Scott Fella Fri, 09/07/2012 - 08:53

You get the splash page but you get the cert error, so the only thing left is the VIP.  You need to put the FQDN in the VIP DNS Host Name and reboot the WLC.



Help out other by using the rating system and marking answered questions as "Answered"

wesdouglas Fri, 09/07/2012 - 08:57

Scott, the domain name is already correctly defined in the virtual interface.



Scott Fella Fri, 09/07/2012 - 09:04

Well if you are getting the spash page and you get the cert error with the fqdn configured in the VIP, then its an issue with the cert.  If the clients could not resolve the fqdn and the fqdn is configued on the VIP, they would not get the splash page.  So the client is rejecting the certificate.  You only can do a chained certificate and when generating the csr, make sure you choose 2048bit.



Help out other by using the rating system and marking answered questions as "Answered"

wesdouglas Fri, 09/07/2012 - 08:54

I will check that on Monday when I come back in to work. Failing that I may just start from scratch and create a brand new CSR etc. as I think it must be an issue with the cert.

I definately rebooted it as I've since done a software update on it and have tried to install the cert again which required a reboot to take effect.

Thanks for your comments by the way.



This Discussion

Related Content



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode