I've recently installed ssl certificates for our web auth guest interface on our WLC's. I discoverd the they required a Level 2 certificae to work properly. We are getting an untrusted certicate on our 802.1x ssids that authenicate against a 5500 ASA..A certificate was insatlled and has an error, show the certificate as untrusted, my questionis, does the 5500 ASA require a level 2 certifate as well?
No, it shouldn't. Your SSL session, if you're using webauth on the WLC, is between the client and the controller. If you've installed a cert on the controller, make sure:
The certificate you installed is chained all the way to the root CA; that is, make sure you've merged the WLC's issued cert, the Root CA's cert and any intermediate certs and combine them into one large cert using OpenSSL. Cisco has stated that you can only have one intermediate CA in the chain, but I've heard reports of it working with two Intermediates--either way, you're best to try it with maximum 1 to avoid issues
Make sure that the Root CA that signed your WLC's public cert is trusted on the clients. This means that you have to request a cert from a public authority. I've had the most luck with Digicert, and that's generally who TAC recommends.
The certificate installed on the WLC's works for our guest web authentication through the built in portal. It's the 802.1x authenication through the ASA that gives the warning about untrusted certificate. The certificate we installed on the WLC's only had the 1 intermediate CA, that is how the level 2 comes. Our certificate vendor initally supplied a level 3 certificate that contained an additional cross_intermediate. There was very specific information from Cisco about the certificate for the WLC had to be a level 2, but I have not been able to find it for the ASA.
Sorry, I misread your original post and I now I think I understand what you mean.
Certificate trust is based on what CA certs the client has installed in its CTL--there are a lot that are there when the client is installed and periodically they are updated during software updates. The CTL may also contain root CA certs that you install as an administator.
Who is signing your ASA's cert? Is that authority trusted on the client?
Have you inspected the certificate to ensure that the signing authority presented on the cert matches a trusted root that is installed on your clients? Does a failing client offer you any details about why it doesn't trust the cert?
You also may want to post this in the security forum as it may be related to the ASA certificate.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...