Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

certificate issue on guest anchor controller

hi all

we've got an anchor controller inside a DMZ. the standart GW for the clients is the virtual interface (in this case 1.1.1.1). because it's a https-site the clients have to accept the certificate manually (we all know this problems..).

I work with the internal DHCP scope and also give them some DNS servers from the Internet.

any idea how to get this certificate installed? I've read that the virtual IP (1.1.1.1) got to have a DNS entry (in this case on the internet DNS). That's pretty bad, because we have several anchors in several countrys, all working with 1.1.1.1. And also, is this virtual IP reachable from the internet to perform a DNS-lookup?

Would be great if someone has an idea or already made some experiences.

TIA

thom

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: certificate issue on guest anchor controller

Thom,

     The reason the Virtual Interface needs an IP address is because a certificate can't be issued to an IP Address, it's issued to the FQDN. I have a client that is international where I set this up and I had to get their external DNS host (since they didn't have a DNS server in their DMZ) to add a host entry for each of the controllers.  for example: WiSM1a.someplace.com  was pointed to 1.1.1.1, WiSM1b.someplace.com  was pointed to 1.1.1.1, etc.. you get the general idea. Then you need to take the actual device certificate, and the intermediate chain certificate and combine them into the WLC's required Certificate Package.  This issue is alot easier to resolve if you have a DNS server in your DMZ that you control.

Hope this helps.. Please rate useful posts.

Thanks,

Kayle

5 REPLIES

Re: certificate issue on guest anchor controller

Can you post a brief topology of how your WLAN is designed.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: certificate issue on guest anchor controller

Thom,

     The reason the Virtual Interface needs an IP address is because a certificate can't be issued to an IP Address, it's issued to the FQDN. I have a client that is international where I set this up and I had to get their external DNS host (since they didn't have a DNS server in their DMZ) to add a host entry for each of the controllers.  for example: WiSM1a.someplace.com  was pointed to 1.1.1.1, WiSM1b.someplace.com  was pointed to 1.1.1.1, etc.. you get the general idea. Then you need to take the actual device certificate, and the intermediate chain certificate and combine them into the WLC's required Certificate Package.  This issue is alot easier to resolve if you have a DNS server in your DMZ that you control.

Hope this helps.. Please rate useful posts.

Thanks,

Kayle

Re: certificate issue on guest anchor controller

Great post K ... +5

Here is the Cisco guest example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: certificate issue on guest anchor controller

Thanks George!!

New Member

Re: certificate issue on guest anchor controller

thanks kayle! you've just made my day.

unfortunately we can't use the DNS in the DMZ (political reasons) therefore I have to get in touch with our provider.

thanks again, I'll try it this way.

cheers.

thom.

1086
Views
5
Helpful
5
Replies
CreatePlease to create content