Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco WLC 5508 Web Auth DNS Issue

We have recently implemented a 3rd party certificate for the guest access, currently have a WLC 5508 that has a Vlan directly connected to our DMZ firewall and NATed out. The problem is when I have installed a 3rd party certificate as per the following link http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html#comment16107741

The DNS host name that I entered into the DNS Host name section is not resolved. If I remove the DNS name and leave the virtual ip address 1.1.1.1 then it works fine but just comes back with untrusted message.

Any suggestions?

  • Other Wireless - Mobility Subjects
34 REPLIES
Hall of Fame Super Silver

Re: Cisco WLC 5508 Web Auth DNS Issue

The DNS that the clients receive from dhcp, needs to be able to resolve the FQDN. Since it is 1.1.1.1, most likely you will need to resolve that to your internal DNS and open the FW from the guest subnet to the internal DNS server. DHCP will also need that DNS server added to the dhcp scope.

Thanks,

Scott Fella

Sent from my iPhone

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Re: Cisco WLC 5508 Web Auth DNS Issue

Hi Scott,

The dhcp scope has the google dns addresses 8.8.8.8 & 8.8.4.4 because the guest access is directly connected to the DMZ and therefore does not touch our internal network. I would prefer not to use our internal DNS servers to resolve this address. Can this be done by the external DNS instead?

Re: Cisco WLC 5508 Web Auth DNS Issue

yes and no.  you can use an external DNS server for and have the resolution of the virtual IP work, so long as the DNS provider is willing to enter an A record for your virtual IP - virtual interface name.

Otherwise, you would need to use a server that is under your administrative control and add that A record.

Steve    

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Silver

Re: Cisco WLC 5508 Web Auth DNS Issue

Just use your standard domain DNS registrar if you have one and create an entry for your hostname and have it resolve to 1.1.1.1

For example I use GoDaddy at home, I could create guest.fqdn.com and have it resolve to 1.1.1.1, seen as it is a public DNS entry it will resolve using Google.

Hall of Fame Super Silver

Re: Cisco WLC 5508 Web Auth DNS Issue

Can this be done by the external DNS instead?

Well the others have posted ways to get this to work and it really depends if they allow you to add 1.1.1.1  If you have to call your ISP, then i would say that its 50/50 that they will add an ip address that deosn't belong to you as a DNS entry.  You can always then use one of your public address and use that for your VIP.

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****

Re: Cisco WLC 5508 Web Auth DNS Issue

well, the 1.x.x.x was given out by IANA.  So if you're not the owner and you put that request in, there could be repercussions for using someone elses IP space.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Silver

Re: Cisco WLC 5508 Web Auth DNS Issue

Good point Steve, that's why I've started to use a standard private address instead of 1.1.1.1

I've never had an issue trying to register any IP with the DNS servers.

Hall of Fame Super Silver

Re: Cisco WLC 5508 Web Auth DNS Issue

For me it was like most ISP will not add an A record with a private address or even an address that wasn't owned by my client.  I only had a few ISP allow it, but using your public address seemed easier in most cases.

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****

Re: Cisco WLC 5508 Web Auth DNS Issue

Richard,

Nice link, my80211.com. What do you think of the site ?

As for the 1.1.1.1. If you use 1.1.1.1 as your virtual, the only problem I see you having is if you actually wanted to go to that site which used 1.1.1.1, you would hit the WLC virtual interface. So, with that being said, who really cares.

Ive been putting A records on the ISP for years and havent had any issues. In fact, just did another one last month. Although not surpirsed to hear the challenges. Also its like a revers look up. If you try and resolve 1.1.1.1 it will go to the legit owner. but in you try to resolve say guest.tmhs.org it will go to 1.1.1.1. 

You have to resolve the 1.1.1.1. Either inside or other wise.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
10533
Views
52
Helpful
34
Replies
This widget could not be displayed.