Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

web-auth DNS

Hi all,

I need to clarify some detail with regards to web-auth and 3rd party ssl certs.

In the past I have not encounted this as the customers  were happy to accept the Cisco's  default self signed cert.

However  it will not be the case this time.

For ease of explanation I will use 1.1.1.2 as virtual-ip on the guest anchor and domain as wifi.company.com.

I perfectly understand how DNS will come play if we use an enterprise DNS or even a DNS server within the DMZ.

However I prefer to utilise an external DNS so there will be no touch points with the internet network for guest users.

From my understanding the idea behind  using 1.1.1.2 as virtual-ip is to ensure that it is not routable.

Therefore I do not understand how I could utilise  external DNS while using a non-routable IP.

From  the cert side I'm not after a wildcard certificate but looking to deploy a Level 2 cert.(root,device,intermediate)

I also know there is going to be funtimes ahead with open SSL but I will not get too carried away at this point :-)

Any help on this is much appreciated.

Thanks,

Janesh

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

web-auth DNS

Its not bad at all.... if you plan on using an external public dns, you need to be able to at least create an A record.  Now look at it this way.... you would change the VIP on the controller to be that of one of the public address of your customers.  Then you would add an A record to resolve the ex. guestwifi,externaldomain.com to the VIP which is one of their public ip address.  Thats it.

As far as certificates, all certificates will be chained and you might get a single intermediate or maybe two intermediates, so you need to combine them in order.  Follow this guide using openssl and make sure you use OpenSSL 9.8.y.  v1.0 might work and might not, so be safe and use the 9.8.y

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

http://slproweb.com/products/Win32OpenSSL.html

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
4 REPLIES
Hall of Fame Super Silver

web-auth DNS

Its not bad at all.... if you plan on using an external public dns, you need to be able to at least create an A record.  Now look at it this way.... you would change the VIP on the controller to be that of one of the public address of your customers.  Then you would add an A record to resolve the ex. guestwifi,externaldomain.com to the VIP which is one of their public ip address.  Thats it.

As far as certificates, all certificates will be chained and you might get a single intermediate or maybe two intermediates, so you need to combine them in order.  Follow this guide using openssl and make sure you use OpenSSL 9.8.y.  v1.0 might work and might not, so be safe and use the 9.8.y

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

http://slproweb.com/products/Win32OpenSSL.html

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: web-auth DNS

Why not? It's not like you are routing that FQDN. Your not making the WLC accessible from the internet. I've done that many times on my deployments and all my customers rather have it that way. It's not like your taking another IP address, just use one that is already being used. Your only other choice is a DNS in the DMZ then. Or just disable https and just use http, then you don't need a certificate.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: web-auth DNS

Hi Scott,

I thought I needed to get a brand new public IP.my bad.

As there is no Layer 2 secuirty mechanisms in place I prefer to have https.

cheers,

Janesh

New Member

Re: web-auth DNS

Hi Scott,

Thanks very much for your reply.

changing the VIP to a public IP is not something I feel right. Neverthless, this seems to be the only way out for this particular use case.

Have a good day.

cheers,

Janesh

212
Views
0
Helpful
4
Replies
CreatePlease to create content