Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WLC 5508 And Third Party SSL for Web Authenticaiton

Hello,

We are using WLC 5508 and currently the authentication process is via Customized WebAuth. As you know that with the WebAuth the authentication process won't work unless you launch Web Browser and you will be redirected to the Authentication Page where you type your username and password. This is a bit fuzzy for most of the users and what I'm thinking is to use different authentication mechanism where the user will automatically be prompted upon connecting to any SSID. I have read that Public/Thrid Party certificate will do this and any client can accept the public certificate.

 

Anyone can elaborate on this approach?

Regards, 

9 REPLIES
Hall of Fame Super Silver

Using a 3rd party certificate

Using a 3rd party certificate is only good if you want to still utilize https on the WebAuth portal and you don't want to see the certificate error. In the later code v7.5 I believe if later, they added a feature to disable https for WebAuth. The use if a 3rd party cert helps if you want the URL to show up as the FQDN you entered when creating the CSR. You would need to create an A record in DNS to resolve the FQDN to the virtual IP address. In the virtual IP address, you define the FQDN you specified for the certificate. Scott
-Scott
*** Please rate helpful posts ***
New Member

Is there away I can achieve

Is there away I can achieve SSID prompt authentication without ISE or radius?
Hall of Fame Super Silver

I don't know what you mean...

I don't know what you mean.... The end user has to choose the SSID and then its up to the device if it automatically opens a browser so the user see's the portal page.  This is how it would be if you went to a coffee shop with free wifi that had a login or a portal page to accept the agreement before providing access.

Scott

-Scott
*** Please rate helpful posts ***
New Member

What I mean is...if you

What I mean is...if you enable HotSpot on your mobile and setup security and connect to it using your laptop you will be promoted to put the security pass. Is this possible without Radius or ISE? Coffee shop another good example where the Browser automatically will be launched where in the current configuration it's not. Which confuse lots our students and staff and take huge amount of IT staff to attend that call and do the authentication process. How the Browser can be launched automatically? Thanks,
Hall of Fame Super Silver

You don't control that. That

You don't control that. That is part if the device OS.

Scott

-Scott
*** Please rate helpful posts ***
New Member

So WLC is useless when it

So WLC is useless when it comes to authentication feature without additional devices... All of this complexity just to promote and sell other products such as NAP or ISE :)...
Hall of Fame Super Silver

You need to understand what

You need to understand what the devices need to do and what WLC's or radius servers can perform.  In a normal environment, you would only have one guest or portal page.  How would this be confusing to users??? It's like going to a coffee shop.  If they can't figure that out, them like they say.... User error. Guest is best effor to many organizations and they will not support that for users.  If you have devices that need I access the internal, then you need a radius server to lookup either machine (domain machine) or AD username and password. That is how things are typically deployed.

Scott

-Scott
*** Please rate helpful posts ***
New Member

Hi Scott,

Hi Scott, What I want to achieve is a Layer 2 authentication. I have posted this request before and tried it with MS Radius server, but the problem is this would work only if machines are joined to Domain. Where in my case I can't join them .. https://supportforums.cisco.com/comment/9595246#comment-9595246 Thanks,
Hall of Fame Super Silver

With machines that are not

With machines that are not part of the domain, typicall if you still want to secure them usin 802.1x, you would leverage a radius server and users would be told of the SSID to connect to and enter their AD credentials.  Of course, if you use AD credentials, users will now join all their other devices to that SSID. This is where ISE comes in and you can profile devices. Even though the WLC with v7.6 can profile, it's not a full fledge profiler.  Depending on how well you know radius, you can leverage a portal page also and depending on the AD group a user is a member of, you can out them is a specific Vlan or if you leverage interface groups.  You can do many things, but you need to really know radius and client types to figure out what can and work well in your environment. Radius alone to someone who hasn't played with it, can take days to setup without help. 

Every client I setup radius for is different and it comes down to how their users are setup in AD, what devices they have and the requirements. 

Scott

-Scott
*** Please rate helpful posts ***
81
Views
0
Helpful
9
Replies
CreatePlease to create content