CT5760 - virtual-host in parameter-map not used in webauth redirect
I'll try posting my issue here before I post a TAC on this:
Cisco CT5760 wireless controller running IOS-XE version 3.6.0.
This issue is related to web authentication on an SSID with external web portal. It seems that the statement "virtual-host" in "parameter-map type webauth global" is not used as intended. I'll try to explain:
When a user connects to an SSID with external web authentication enabled and the user opens a web browser, the user will get redirected to the external web portal for authentication. In this redirect URL we see the parameter "switch_url=http://126.96.36.199/login.html". The IP address 188.8.131.52 is, in this example, our virtual IP. But we have also configured "virtual-host" to be webauth.example.com. And in my opinion the "switch_url" parameter should be "switch_url=http://webauth.example.com/login.html". This is how it works on our old Cisco WiSM1 implementation.
The reason why this is a problem is that the clients web browser will not accept the certificate installed on "http://184.108.40.206" because it is not issued with that IP address, only the hostname webauth.example.com. I know that it is possible to get certificates issued with an IP address (as long as it's not an RFC1918 IP address), but rumors say that many Certificate Authorities will stop issuing these soon, even with "real IPs". Therefore it is important that the redirect URL gets corrected.
Then after a successful login on the external portal, the user gets redirected back to https://220.127.116.11/login.html. Here is the core of my problem. I think that the parameter "switch_url" should be with the name webauth.example.com since I configured it as the "virtual-host". This is the behavior we see with our old Cisco WiSM1.
When the redirect goes to https://18.104.22.168/login.html the client complains about the certificate, because it is not issued to that IP address but to the hostname.
I can verify that the client does not complain about this if I manually edit the redirect URL on the client to the following:
Did you manage to solve this issue? I'm having the exact same problem, Cisco WLC 5760 with IOS XE 3.7.0.
The parameter "switch_url" contains the controller virtual ip address, even when the virtual hostname is configured. Funny thing: even if I configure the hostname it doesn't appear in the web interface, but it does in the CLI configuration.
We have a 5508, OS version 22.214.171.124, and it does sent the hostname instead of the virtual ip address to the external server.
Is there anything else that we need to configure? Thanks!