We have recently implemented a 3rd party certificate for the guest access, currently have a WLC 5508 that has a Vlan directly connected to our DMZ firewall and NATed out. The problem is when I have installed a 3rd party certificate as per the following link http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html#comment16107741
The DNS host name that I entered into the DNS Host name section is not resolved. If I remove the DNS name and leave the virtual ip address 220.127.116.11 then it works fine but just comes back with untrusted message.
The DNS that the clients receive from dhcp, needs to be able to resolve the FQDN. Since it is 18.104.22.168, most likely you will need to resolve that to your internal DNS and open the FW from the guest subnet to the internal DNS server. DHCP will also need that DNS server added to the dhcp scope.
Sent from my iPhone
The dhcp scope has the google dns addresses 22.214.171.124 & 126.96.36.199 because the guest access is directly connected to the DMZ and therefore does not touch our internal network. I would prefer not to use our internal DNS servers to resolve this address. Can this be done by the external DNS instead?
yes and no. you can use an external DNS server for and have the resolution of the virtual IP work, so long as the DNS provider is willing to enter an A record for your virtual IP - virtual interface name.
Otherwise, you would need to use a server that is under your administrative control and add that A record.
Just use your standard domain DNS registrar if you have one and create an entry for your hostname and have it resolve to 188.8.131.52
For example I use GoDaddy at home, I could create guest.fqdn.com and have it resolve to 184.108.40.206, seen as it is a public DNS entry it will resolve using Google.
Can this be done by the external DNS instead?
Well the others have posted ways to get this to work and it really depends if they allow you to add 220.127.116.11 If you have to call your ISP, then i would say that its 50/50 that they will add an ip address that deosn't belong to you as a DNS entry. You can always then use one of your public address and use that for your VIP.
well, the 1.x.x.x was given out by IANA. So if you're not the owner and you put that request in, there could be repercussions for using someone elses IP space.
Good point Steve, that's why I've started to use a standard private address instead of 18.104.22.168
I've never had an issue trying to register any IP with the DNS servers.
For me it was like most ISP will not add an A record with a private address or even an address that wasn't owned by my client. I only had a few ISP allow it, but using your public address seemed easier in most cases.
Nice link, my80211.com. What do you think of the site ?
As for the 22.214.171.124. If you use 126.96.36.199 as your virtual, the only problem I see you having is if you actually wanted to go to that site which used 188.8.131.52, you would hit the WLC virtual interface. So, with that being said, who really cares.
Ive been putting A records on the ISP for years and havent had any issues. In fact, just did another one last month. Although not surpirsed to hear the challenges. Also its like a revers look up. If you try and resolve 184.108.40.206 it will go to the legit owner. but in you try to resolve say guest.tmhs.org it will go to 220.127.116.11.
You have to resolve the 18.104.22.168. Either inside or other wise.