Solved: WLC webauth certificate problem

snabulast · ‎11-08-2010

Hi all,

I have two WLCs (4404+5508) with version 7.0.98.
I'm using Customize webauth to authenticate the users.
I'm trying to add a webauth certificate as i followed this article:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml#gen

apparently i forgot to change the "DNS Host Name" on the virtual interface of the WLC, but when i'm changing it to the CN' my auth page is no longer appear and client can't login into the wireless network.

any ideas ?

thanks

Ronen

Nicolas Darchis · ‎11-10-2010

http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fpartner%2Fproducts%2Fps6366%2Fproducts_configuration_example09186a0080a77592.shtml&pos=1&strqueryid=2&websessionid=b3-kYpvWxMDxIosTcAxnBqS

The concept is still the same, but instead of uploading just your device WLC certificate to the WLC, you have to upload a file that contains both the WLC cert and the intermediate CA cert concatenated. (so basically just check the part of document which is about downloading the right file toWLC)

Hope this helps,

Nicolas

===

Don't forget to rate answers that you find useful.

View solution in original post

Nicolas Darchis · ‎11-08-2010

Hi Romen,

here is the trick :

-The Virtual interface DNS hostname must be equal to the CN of your certificate (you have this covered apparently)

-But also there must be an entry in the client DNS to links this DNS hostname to the virtual ip address (1.1.1.1 usually)

The thing is that, this is what the client verifies "I'm being presented a certificate, does the name matches the URL I'm currently onto ?".

So it means that the WLC wont' redirect the client to "http://1.1.1.1" anymore but to the hostname you configured on the virtual interface. Hence this hostname needs to be DNS resolvable.

I hope I was clear :-)

Nicolas

===

Don't forget to rate answers that you find useful

snabulast · ‎11-09-2010

i have a DNS entry in my capmus primary NS that resolve the managment ip (for the CN) and not the virtual interface

should i change it to 1.1.1.1 ??

btw, the client doesn't recieve any certificate error when i put the DNS hostname - he gets page error because of timeout.

Thanks

Nicolas Darchis · ‎11-09-2010

Hi,

don't confuse things.

Thing number 1 :

If you access your WLC by typing "http://MyWLC/", this is a DNS hostname that should resolve to management ip address. If you installed a certificate for the management, then it should match its CN

Thing number 2 :

What I explained above.

The Virtual ip hostname should resolve to the virtual ip and should be different from a name you might you for WLC management (since they resolve to different ip addresses).

The whole point is to have the client asking for the virtual interface hostname when you are doing webauth and that it resolves to 1.1.1.1 because that's where the login page is.

It makes sense that you get a timeout because, as mentioned, you have a virtual interface hostname that does not resolve to 1.1.1.1. So how is the client supposed to end up on that login page ?

Nicolas

snabulast · ‎11-10-2010

hi Nicolas

firat i want to thank you for thr answer.

i'v done it and this problem solved but now i still get a certificate error. i'm using an intermediate certificate authority

what do i need to do ?

Thanks in advance

Ronen

Nicolas Darchis · ‎11-10-2010

http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fpartner%2Fproducts%2Fps6366%2Fproducts_configuration_example09186a0080a77592.shtml&pos=1&strqueryid=2&websessionid=b3-kYpvWxMDxIosTcAxnBqS

The concept is still the same, but instead of uploading just your device WLC certificate to the WLC, you have to upload a file that contains both the WLC cert and the intermediate CA cert concatenated. (so basically just check the part of document which is about downloading the right file toWLC)

Hope this helps,

Nicolas

===

Don't forget to rate answers that you find useful.