Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

cert

Hi, I have installed third party certificate for web auth for guest users,

can I use the same cert for management? where I login at https://controller.ip.address.x ? so i don't get the ssl warning?

Thank you.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: cert

For h-reap yes. You need I upgrade to 5508's or WiSM2's with the environment you have. Of course your AP's are kind of old:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
13 REPLIES
Hall of Fame Super Silver

Re: cert

Since most 3rd party certificates are chained certs, you would not be able to use them for management.

Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: cert

Thnx dude

Sent from Cisco Technical Support iPhone App

Hall of Fame Super Silver

Re: cert

No problem. It would be nice if the wlc could use them.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: cert

Ok here is what happened.

I have created a Cert Signature Request for guest.mydomain.com from godaddy[.]com, they sent chained certs and their root, so Device,Intermediate,Root combined that and created a final cert with my key and all that.

The guest page has 1.1.1.1 as an IP address so I've added a dns record guest.mydomain.com => 1.1.1.1 now when users go to guest page they don't see the cert thing warning, works good.

I wanted to play with it and I changed DNS record guest.mydomain.com => 10.10.10.x or whatever my management IP for the WLC, and went on WLC clicked MANAGEMENT ---> HTTP/HTTPS (on the left) I have HTTPS enabled and HTTP disabled, downloaded the cert via TFTP server, worked.

next thing i go to https://guest.mydomain.com the managemend interface comes up without a SSL warning or what so ever, so it kinda works but you need two certificate with FQDN. one would be guest interface and another would be management interface, since they have different ip addresses they required different FQDNs.

Tadaaaaa

P.S If I used CISCO ISE as a wireless guest portal it would be possible to use the cert for webauth/management at the same time since it's the same ip/domain and they would also work with posturing/installing NAC agents, so 300 usd from godaddy for 5 years is not bad.

Hall of Fame Super Silver

cert

One other thing you can do is use a wildcard cert.  This way you can have two FQDN and use one for webauth and the other for management.  That works because I have done that, I'm guessing you might also be able to use the SSL certificate you use for guest, just create another host record in DNS pointing to the management ip of the WLC.

-Scott
*** Please rate helpful posts ***
Community Member

cert

Thanks dude, by the way do you happen to know when did WLC start supporting ISE in H-REAP/FLEX mode

I can't upgrade to the latest version of WLC because I have like 700 1231 AG APs unfortunately and that's killing me.

thank you.

Hall of Fame Super Silver

Re: cert

I believe in 7.2.110.0 which is MR1.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: cert

Does this mean I cannot profile clients they are doing local switching if i don't have anything 7.2 and up?

Hall of Fame Super Silver

Re: cert

For h-reap yes. You need I upgrade to 5508's or WiSM2's with the environment you have. Of course your AP's are kind of old:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: cert

I know they are old lol and there is a really bad thing going on that stops me from upgrading the WLC, I will have 3500 new APs in the office, to provide employees corp access, and provide guest network - wich would go through their DSL.

With that in mind here is what I have:

WLC 5508, Software Version                 7.0.220.0

ISE 1.1.1

Warehouse APs 1231AG converted to LIGHTWEIGHT ( no HREAP, don't care much about profiling and posturing here, but they are centrally switched so no problems for them)

1 AP 3500s in the office to provide GUEST(through their DSL Line) and CORPORATE(locally switched), profiling and posturing included, at least profiling for now.

I am sorry I'm all messed up from reading different documentation, because they were developed in different time frames supporting different features.

doable?

Hall of Fame Super Silver

Re: cert

It is doable... You might want to upgrade to 7.0.235.0 which I believe is the latest. You can profile your internal since its local mode.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: cert

Yeah that's the latest, Im gonna upgrade to 7.0.235.0, thanks, eventhough the ones that connect to the 3500s AP in the office are not comming with capwap all the way to the core they are locally switched at the remote site

Hall of Fame Super Silver

Re: cert

Well for your setup, centrally switch is supported IIRC, but locally switch is not unless your running MR1 and ISE 1.1.1.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
771
Views
0
Helpful
13
Replies
CreatePlease to create content