5508 loading cert for web auth

Similar Messages

• WLC Virtual Interface config for a public SSL cert for Web Authentication

  I'm trying to get a cert loaded on my 5508 WLC running 7.6.130.0 so when a Web-Auth users tries to authenticate they don't get the SSL cert error.
  In the document "Generate CSR for Third−Party Certificates and
  Download Chained Certificates to the WLC"
  Document ID: 109597 it states the following
  "Note: It is important that you provide the correct Common Name. Ensure that the host name that is
  used to create the certificate (Common Name) matches the Domain Name System (DNS) host name
  entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after
  you make the change to the VIP interface, you must reboot the system in order for this change to take
  effect.
  Here are my questions.
  1. I have always had 1.1.1.1 as the address of the Virtual interface, should that change or can I leave it as 1.1.1.1?
  2. In the "DNS Host Name" Field do I simply put the domain or the FQDN?  Example. Company.com or hostname.company.com

  Hi,
  1) You can change that if you want. Normally it is non-Public and non-routable in your network.
  2) Put the Host name for which you are going to give in your company DNS server where that Host name would be mapped to the Virtual ip address.
  Regards
  Dhiresh
  ** Please rate helpful posts**

• How to generate CSR on switches for web auth with NGS

  Hello
  I am doing a dot1x solution with web auth on cisco 3750 switches.
  Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
  I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
  Is there any way to solve this?
  Greetings
  Steven

  Hi Steven,
  The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
  Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
  Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
  This document goes into a little more detail on all the indivual commands and what they do:
  http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
  Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
  Thanks,
  Nate

• Client Excluded ReasonCode on WLC for Web Auth

  Hi.
  I wonder if you can point me at a table that defines the Reason Code(s) for Client Exclusion Failure? See the example event log entry below from a Guest Controller for Web Authentication failure (that was resolved - Internet router down) but I was wondering if the Reason Codes would be useful in troubleshooting. Many thanks in advance.
  Tue Aug 28 10:45:31 2007 Client Excluded: MACAddress:00:16:6f:b3:20:0a Base Radio MAC :00:00:00:00:00:00 Slot: 0 Reason:Web Authentication failed 3 times. ReasonCode: 4

  I haven't tried it recently. But I'm afraid of this one :
  CSCsy88149 Chained certificate can not have Wildcard * character in hostname
  Even if bought at verisign or any root CA, your cert has a good chance of being chained since they very often use an intermediate CA. I know wildcard certs are supported but this bug seems to say that it doesn't work for chained.
  again, I didn't verify it mysefl

• How to install certs for web access

  Hi all: While I have done this several times using ConsoleOne in previous versions of GW, I cannot seem to find a good write-up on installing certificates for Web Access in GW 2014. I came across this TID (https://www.novell.com/support/kb/doc.php?id=7010584) but I am not sure this applies to Web Access. Can anyone point me to a How-To or TID which describes installing certs specifically for Web Access (2014)? We are running GW 2014.0.1 on an OES11 SP2 server.
  Thanks, Chris.

  Hi Chris,
  The TID you referenced in your first post also applies to WebAccess.
  When running GroupWise/WebAccess on OES/SLES/Linux, it's not really about doing something for GroupWise WebAccess, but about doing something for Apache. So you can approach this as a generic Apache thing.
  Originally Posted by cmosentine
  PS: Our certs are from GoDaddy. We have two files, ourdomain.crt and sf_bundle.crt. If I follow the TID I referenced, I am not sure where these should be placed in the configuration file.
  If you have those files you can add them to the apache2 configuration as the TID mentions.
  You are missing one file in your listing.... the key file. Without the key file, it won't work.
  If you have those three files on the webaccess server, simply add lines to the vhost file;
  SSLCertificateFile </path/to/ourdomain.crt)>
  SSLCertificateKeyFile </path/to/ourdomain.key)>
  SSLCertificateChainFile <path/to/sf_bundle.crt>
  Then reload Apache.
  Also make sure root is the only user that can read those files (mainly important to shield the key file used).
  If there are no errors upon reloading Apache, the new certificates should then be in use.
  In general, this blog post might give some more insight on the openssl process :https://www.digitalocean.com/communi...-keys-and-csrs
  There are many others that might explain it better.
  Cheers,
  Willem

• Browser Requirements for Web Auth

  My configuration is 2 4404 WLCs, version 4.2.130.0, with WCS version 4.2.97.0. We have a guest WLAN set up to do Web Auth to a TACACS server and the local WCS database. I am trying to find a document for this version of WCS that gives minimum browser versions for IE, firefox, netscape, safari, etc. If anyone can point me to this information I would appreciate it.
  Thanks,
  Deanna

  I found my own answer.
  Internet Explorer 6.0 SP1 or higher is the only browser supported for accessing the controller GUI and for using web authentication.

• Web load balancer for web application server

  Hi.
  We are planning to very large system (6,000 users) and They will use BSP application.
  So, We need web load balancing method.
  I think We have two choice : L4 switch or SAP Web Dispacther.
  Is there any recommendation for web load balancing method ?
  Which one is better for large user load balancing ?
  Regards, Arnold.

  Another good advantage of Web dispatcher is web based monitoring, SSL config etc.
  http://help.sap.com/saphelp_erp2004/helpdata/en/05/ac923fa5e93c17e10000000a114084/frameset.htm
  Regards,
  siddhesh

• "Auth type not supported by External DB" error for web-auth SSIDs

  Hello
  We're having a problem with web-authentication on our 4404/WisM controllers since we moved to software rev 5.x (currently running 5.1.151.0).
  With software rev 4.x our web-auth SSIDs would send the authentication requests to a Cisco ACS4.0 which would then authenticate the users against MS Active directory.
  Now (with rev 5.x) the same SSIDs cannot authenticate users against AD, the error in the ACS is:
  Auth type not supported by External DB
  Found the following Cisco Doc regarding the problem: Cisco Secure ACS and Windows AD EAP/802.1x port authentication fails with the Auth type not supported by External DB error message - Case Number K24308566. Done a packet capture on ACS to see authentications coming in and the ones that fail with above error are using CHAP - from the Cisco documentation, MS AD doesn't support CHAP.
  Any ideas on how I can get the web-auth working again with software rev 5.x ?
  Thanks
  Andy

  my apologies - theres a setting under Controller - General for Web Radius Authentication. changed this from CHAP to PAP and its now working ok.

• Loading Images for web Applet

  I just recently learned how to load a applet to my site, and now that I'm able to load simple ones up I want to move on. I made a game this morning, but I used images in it. When i loaded the applet to the site, it didn't work. As suggested from another user I tried:
  Image background=this.getImage(getCodeBase(),"/forest.gif"); All of the applet's classes/html file is in the root directory folder with all of my images. I also tried...
  Image background=this.getImage("http://www.StevePicHolder.1colony.com/images/forest.jpg");and no luck...What do I need to do to make my applets online be able to use pictures?

  The Applet.getCodeBase() method returns the absolute URL where your class files reside. If the image file is in the same location you would code the following:
  Image background=this.getImage(getCodeBase(),"forest.gif");If your image file is in a path relative to the code base (e.g., an images folder residing relative to your class files) then specify the relative path via the following:
  Image background=this.getImage(getCodeBase(),"images/forest.gif");If your image files are in the same or relative location of your HTML file containing the APPLET tag then use the getDocumentBase() method instead.

• Disable EAP Authentication for Web-Auth on WLC

  Hello Everyone
  We Use a Special Radius Server who is implemented according to RFC 2865.  But now we get Errors that the Radius Server cant handle the Attribut Typ 80.
  For that i now this Attribut has to do with EAP Authentication, which is a newer addition according to RFC 2869.
  How can i configure the WLC to disable EAP Authentication?
  Thank you in advance
  Chris Kaiser

  EAP authentication is defined on the SSID... So if your using radius to authenticate WebAuth users, then you need to make sure that you use open authentication with WebAuth. Don't specify any layer 2 encryption methods and the WLC will not send EAP request to the radius server.
  Sent from Cisco Technical Support iPhone App

• Windows 7 Clients Not Working With Web-Auth

  I am using 5508 controllers, configured for WEB-AUTH passthrough, Windows XP clients work fine but Windows 7 clients are hit and miss getting redirected to the splash screen.
  The login page is customised showing T's & C's with two buttons Except or Reject.
  Do I need to Pre-Auth with ACL's? Has anyone had similar issues, or any good doc's etc.
  Thanks in advance for any replies.
  Jay

  Nicolas,
  Many thanks for your relpy, the problem is that this is a guest network that's also avalable to the public and I dont have any control over the end clients.
  After doing a quick search on the net I found this.
  NCSI : Uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way NCSI does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resovles to 131.107.255.255.
  NCSI does this whether you are logged on or not.
  Do I need to Create a Preauthentication ACL on the Guest WLAN interface:-
  Configure a preauthentication ACL on the WLAN to allow wireless clients to allow:-
  1.       Permit DNS resolution (UDP/53) to 213.199.181.90
  2.       Permit TCP port 80 to 131.107.255.255
  Jay

• 7.5 web-auth client sleep timer feature

                     The 7.5 release advertises the ability to configure a timeout value so that guest clients which go to sleep are not re-prompted for web-auth.  Does anyone know if 7.5 would only be required on the anchor WLC or must it also be on the foreign?  We utilize web-auth for a guest WLAN and anchor it to a WLC in the DMZ.  Preference would be to NOT load 7.5 on every WLC we have and only upgrade our guest anchor.
  Thanks!
  Anthony

  Hi Scott ( and all ),
  I was making some tests with sleeping client with a infrastructure like this:
  - 2 foreign ( 5508 ) with the APs and client association
  - 2 anchor ( 4402 ) on the DMZ
  - radius for client auth
  From my understand the :
  - clients are associated to the foreign but
  - the authentication is forwarded to the anchor
  ( I can see the request on the radius with the anchor NAS IP address and, before the client is authenticated, i get the status as REQ_D state on the anchor )
  So I suppose the sleeping client feature should be on the anchor ( or on both wontroller ) and not only on the foreign. I'm wrong ?
  If You've some Idea to let it works with only sleeping config on the foreign i will solve one big issue because my anchors are 4402 without sleeping feature available.
  All is working fine on the foreign if I remove the anchor configuration ( by the way, like this isn't anymore a foreign )

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• SSL web auth equals encyrption?

  If you use a self signed cert/SSL web auth page that uses LDAP usernames and passwords is the traffic there on considered encrypted or is it only my user name and password that gets encrypted ?

  If there is no layer 2 encryption going on, then only the authentication piece is encrypted by SSL. After the user is authenticated, there's no more encrypted communication with the AP/controller. You'd need layer 2 encryption (AES, TKIP, WEP), VPN, or possibly some sort of SSL proxy for additional encryption.

• Web Auth Re-Authentication Problem

  2500 series controller.  1140  APs.
  I have set my idle and session timout to both be 57600 (16 hours) yet we have users getting re-prompted for web auth every few hours.
  Please advise.
  (Cisco Controller) >
  (Cisco Controller) >*pemReceiveTask: May 02 18:28:02.826: 60:fa:cd:a8:9c:8e Sent an XID frame
  *apfReceiveTask: May 02 18:33:01.538: 60:fa:cd:a8:9c:8e 172.16.60.15 WEBAUTH_REQD (8) Web-Auth Policy timeout
  *apfReceiveTask: May 02 18:33:01.538: 60:fa:cd:a8:9c:8e 172.16.60.15 WEBAUTH_REQD (8) Pem timed out, Try to delete client in 10 secs.
  *apfReceiveTask: May 02 18:33:01.538: 60:fa:cd:a8:9c:8e Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
  *osapiBsnTimer: May 02 18:33:11.538: 60:fa:cd:a8:9c:8e apfMsExpireCallback (apf_ms.c:589) Expiring Mobile!
  *apfReceiveTask: May 02 18:33:11.538: 60:fa:cd:a8:9c:8e apfMsExpireMobileStation (apf_ms.c:5584) Changing state for mobile 60:fa:cd:a8:9c:8e on AP 3c:ce:73:49:7f:30 from Associated to Disassociated
  *apfReceiveTask: May 02 18:33:11.538: 60:fa:cd:a8:9c:8e Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
  *osapiBsnTimer: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e apfMsExpireCallback (apf_ms.c:589) Expiring Mobile!
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e Sent Deauthenticate to mobile on BSSID 3c:ce:73:49:7f:30 slot 0(caller apf_ms.c:5678)
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e apfMsAssoStateDec
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e apfMsExpireMobileStation (apf_ms.c:5716) Changing state for mobile 60:fa:cd:a8:9c:8e on AP 3c:ce:73:49:7f:30 from Disassociated to Idle
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e 172.16.60.15 WEBAUTH_REQD (8) Deleted mobile LWAPP rule on AP [3c:ce:73:49:7f:30]
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e apfMs1xStateDec
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e Deleting mobile on AP 3c:ce:73:49:7f:30(0)
  *pemReceiveTask: May 02 18:33:21.540: 60:fa:cd:a8:9c:8e 172.16.60.15 Removed NPU entry.

  Its happening with multiple types of devices.  Apple laptops, iPhones, Windows Mobile Phones, etc.  A user will connect to the wireless and accept the agreement on the web auth page.  A few hours later, she will try to surf the web again and be re-prompted with the page to authenticate.  We do not want this.  We only want this page to come up every 16 hours.