11-08-2010 10:32 PM - edited 07-03-2021 07:23 PM
Hi all,
I have two WLCs (4404+5508) with version 7.0.98.
I'm using Customize webauth to authenticate the users.
I'm trying to add a webauth certificate as i followed this article:
apparently i forgot to change the "DNS Host Name" on the virtual interface of the WLC, but when i'm changing it to the CN' my auth page is no longer appear and client can't login into the wireless network.
any ideas ?
thanks
Ronen
Solved! Go to Solution.
11-10-2010 01:55 AM
The concept is still the same, but instead of uploading just your device WLC certificate to the WLC, you have to upload a file that contains both the WLC cert and the intermediate CA cert concatenated. (so basically just check the part of document which is about downloading the right file toWLC)
Hope this helps,
Nicolas
===
Don't forget to rate answers that you find useful.
11-08-2010 11:09 PM
Hi Romen,
here is the trick :
-The Virtual interface DNS hostname must be equal to the CN of your certificate (you have this covered apparently)
-But also there must be an entry in the client DNS to links this DNS hostname to the virtual ip address (1.1.1.1 usually)
The thing is that, this is what the client verifies "I'm being presented a certificate, does the name matches the URL I'm currently onto ?".
So it means that the WLC wont' redirect the client to "http://1.1.1.1" anymore but to the hostname you configured on the virtual interface. Hence this hostname needs to be DNS resolvable.
I hope I was clear :-)
Nicolas
===
Don't forget to rate answers that you find useful
11-09-2010 12:38 AM
i have a DNS entry in my capmus primary NS that resolve the managment ip (for the CN) and not the virtual interface
should i change it to 1.1.1.1 ??
btw, the client doesn't recieve any certificate error when i put the DNS hostname - he gets page error because of timeout.
Thanks
11-09-2010 01:06 AM
Hi,
don't confuse things.
Thing number 1 :
If you access your WLC by typing "http://MyWLC/", this is a DNS hostname that should resolve to management ip address. If you installed a certificate for the management, then it should match its CN
Thing number 2 :
What I explained above.
The Virtual ip hostname should resolve to the virtual ip and should be different from a name you might you for WLC management (since they resolve to different ip addresses).
The whole point is to have the client asking for the virtual interface hostname when you are doing webauth and that it resolves to 1.1.1.1 because that's where the login page is.
It makes sense that you get a timeout because, as mentioned, you have a virtual interface hostname that does not resolve to 1.1.1.1. So how is the client supposed to end up on that login page ?
Nicolas
11-10-2010 01:37 AM
hi Nicolas
firat i want to thank you for thr answer.
i'v done it and this problem solved but now i still get a certificate error. i'm using an intermediate certificate authority
what do i need to do ?
Thanks in advance
Ronen
11-10-2010 01:55 AM
The concept is still the same, but instead of uploading just your device WLC certificate to the WLC, you have to upload a file that contains both the WLC cert and the intermediate CA cert concatenated. (so basically just check the part of document which is about downloading the right file toWLC)
Hope this helps,
Nicolas
===
Don't forget to rate answers that you find useful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide