WLC Virtual Interface config for a public SSL cert for Web Authentication

I'm trying to get a cert loaded on my 5508 WLC running 7.6.130.0 so when a Web-Auth users tries to authenticate they don't get the SSL cert error.
In the document "Generate CSR for Third−Party Certificates and
Download Chained Certificates to the WLC"
Document ID: 109597 it states the following
"Note: It is important that you provide the correct Common Name. Ensure that the host name that is
used to create the certificate (Common Name) matches the Domain Name System (DNS) host name
entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after
you make the change to the VIP interface, you must reboot the system in order for this change to take
effect.
Here are my questions.
1. I have always had 1.1.1.1 as the address of the Virtual interface, should that change or can I leave it as 1.1.1.1?
2. In the "DNS Host Name" Field do I simply put the domain or the FQDN?  Example. Company.com or hostname.company.com

Hi,
1) You can change that if you want. Normally it is non-Public and non-routable in your network.
2) Put the Host name for which you are going to give in your company DNS server where that Host name would be mapped to the Virtual ip address.
Regards
Dhiresh
** Please rate helpful posts**

Similar Messages

  • WLC 2106 CSR Request For Web Authentication

    Greetings, ive been following the guide below in order to replace the web auth certficate for guest users on our WLC2106.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
    Does anyone know of a method of using Windows 2003 CA Services to sign the CSR, i have tried but i can't get a PEM out of it, just X509 and P7B Certs, i do realise that Guest Users not native to our network will still be presented with an invalid certificate option but would like to try the configuration before paying to have the certificate properly signed.
    Regards

    This document assumes that the CA server configuration on the Microsoft Windows 2003 server is in place. This document covers the configuration required on the Wireless LAN controller in order to enable this feature.
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a99e23.shtml#Cert-WLC

  • Guest Parameter for Web Authentication

    Hi Forum,
    Just to find out a little more detail in regards to the guest account created for web authentication using Ambassador account.
    1) If the authenticated guest did not perform a proper logout, what action will the WLC take?
    2) As such, is there any timeout involved?
    Where can i tune the timeout?
    Rdgs,
    Kelvin

    Hi I just wanted to add what I have found regarding WCS and the guest feature.
    -There are two ways to configure a "local net user". The first is a static guest ID that has the "guest" flag off. This means that the client's session will not timeout. The second is to specify the "guest" user checkbox and give it a timeout value in seconds.
    This should let you control how long a user is logged in.
    From the WLC login, go to SECURITY --> LOCAL NET USERS --> then click on NEW. From there you can specify a user ID and also set that optional guest user box. If you click on the Guest User box then you will see a timeout field.
    With my guest account set to not be a guest user (no timeout value), I have noticed the following.
    1. If a guest gets disconnected, usually they will reassociate and still be able to log in.
    2. If a guest has problems, I usually tell them to disable their wireless card, close all browser windows, and then reassociate to the network.
    The steps above have worked well for my setup...

  • MAC Exception for Web Authentication

    Hello folks.  I currently have a guest network setup using guest tunneling and an anchor controller.  I have it configured for web authentication.   So basically, a client associates to the SSID, obtains an DHCP IP from the guest anchor controller, and then when the browser is launched the client is redirected to 1.1.1.1 and receives the splash page where they are required to click "OK" to proceed and begin surfing the internet.
    I am being told from a vendor that it's possible to use a mac-address exception method so specific clients (based on mac address) will not have to web authenticate.  So basically they bypass the splash screen and can immediately begin surfing the internet. 
    From what I can tell it's all or nothing per SSID.
    Has anyone ever heard of this and if so do you know how it is accomplished.
    Thanks
    Chuck

    I've seen people ask for something like this for like an XBOX in a dorm (appearently XBOX doesn't have a browser?).....
    Bottom line though is that on the WLC, all wireless clients on a WebAuth/WebPassthrough SSID must pass layer3 authentication. There is no way around this on this SSID.  You'd have to create a different SSID as Scott suggested, which I'd probably suggest doing some kind of PSK on it, so only a few priveledged devices can associate.... you could even through in mac-filtering if you really wanted to complicate it....
    Now, I understand that switches may have such a feature called mac-bypass, but it isn't on the WLC.

  • Port 80 for Web authentication?

    Hi,
    Is it possible to use port 80 for web authentication instead of port 443?

    Sure... on the later code versions you can set the WebAuth to use either http or https by disabling WebAuth SecureWeb (http) or enabling it for https.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Possible to use http for web authentication?

    Hi All,
    We are using WLC 2500 and AP 1041 with web authentication. Due to we do not have the trusted/public certificate and want to get rid of the certificate warning during the user login. I would like to ask if this is possible to change the web authentication method from HTTPS to HTTP. Thanks.
    Rgds,
    Jacky

    Hi Jacky,
    Yes u can... But there is a  catch..
    1) If ur running WLC code below 7.2.X then the only option is to disable HTTPS globally (Meaning HTTPS management access disabled only HTTP).
    2) If you are running 7.2.X and above, then you can use HTTP for client webauth and then HTTPS for Management access.
    The command for disabling https for web authetication would be:-
    config network web-auth secureweb disable
    Hope that helps
    Regards
    Najaf
    Please rate when applicable or helpful !!!

  • Customized web page for web authentication.

    Hi,
    can any one share a working "customized webpage for web authenticaiton", Virtual IP address of the WLC is 5.5.5.5.
    Thanks.

    Hi Nagesh,
    Here's a great download which contains sample templates of each possible type of Web Policy on the WLC:
    http://www.cisco.com/cisco/software/cart.html?imageGuId=7A2F6E79BAE4EFF389E1FA95D96936027AD30AE8
    Best,
    Drew

  • WLC Virtual interface listening on ports 25 and 110

    I'm securing my guest WLAN and have WLC ACL's in place and the network is segmented from everything else but I decided to run a port scan against the virtual WLC interface (1.1.1.1 for me) and ports 25 and 110 are listening. I connected to 25 and it connects but you can't do any SMTP commands.
    Anyone know why these would be open and any concern?

    It is always recommended to have the ACLs configured on the wired side of the network rather than the wireless side of the network.can you provide the ACL configuration so that we can understand the configuration and find the modification to be done in the same to rectify the issue.

  • Is there a way to store credientials for Web authentication?

    I use an IPAD in my corporate network and have this nagging problem of "dropped wifi" after some idle minutes. True, this forced drop out could be due to my corporate router security settings (although they swear it is not there) but here is what frustrates me:
    1. That a Samsung tab works on the same floor in the office (on same wifi network) without dropping frequently.
    2. That if the Samsung tab's connection does drop once in a while, it can reconnect quickly. This is because it stores the web site id, user id and password.
    My question is why can't an IPAD store the router website url and user id and password that is needed to re login?
    If anybody else encounters this issue on an airport or a hotel room, please let us work for the solution togther.
    Regards
    Sanjay

    I would check the web skype historic somewhere in the c: the machine eg in the folder " % temp % " for the company to use the skype app just that some older machines are complaining of memory because it is very heavy for them ... one of the fulga options that I found was the web skype but the only problem I found was that there's no way we monitor the message traffic as we made already ...

  • DNS host name under virtual interface??

    Hi,
    Can anyone tell me what is the purpose of DNS hostname under the virtual interface? Is it a required parameter for web-authentication / how does it affect the web authentication?
    Thanks in advance
    Jino

    The host name under the virtual interface is for if/when you put a third party certificate in the WLC. When you register for the cert, the name you put under the virtual interface is what you use for the cert.
    Steve
    Sent from Cisco Technical Support iPhone App

  • CSS- traffic orignating from real server + Virtual interface

    Hi all,
    I am designing a solution at the moment, in which I shall have 2 servers behind a pair of CSS & their default gateway will be the Virtual Interface ip address of CSS.
    Is there any problem forseen in traffic getting initiated from the server to any other subnet in the network and the return traffic to the server.
    Servers shall connect to a pair of 3750 being used as L2 in stack .
    The Stacked 3750's shall be placed below the CSS pair & the CSS pair shall further connects to a single 6509 upstream....
    Each 3750-L2 connects single port to each CSS
    (3750-L2-1 to CSS1 &
    3750-L2-2 to CSS 2)
    Both CSS connect to the SINGLE 6509 on diff blades. for better redundency.
    The CSS shall not be connected to each other directly.
    Both 3750-L2 connect to each other as well
    IIS-1---L2_Sw1---CSS1---6509---Othr_Subent
    IIS-1---L2_Sw2---CSS2---6509---Othr_Subent
    Note: I shall have VIP/Virtual Interface config on my CSS's.
    Appreciate validation and recomendations on this design.
    Many Thanks,
    gagan

    Hi Gilles,
    Many thanks for the confirmation.
    Request verification on the below as well~
    1. With the above scenario; I do not require any group (NAT) configuration, either for my servers initiating traffic for going out or for clients hitting the VIP to reach servers. The client & server shall be in diff VLAN?s of course.
    2. With VIP & Virtual Interface configuration & couple of server VLAN's below on server side, I should be able to use both the gigabit interfaces on the 11503 to connect up and down stream as TRUNK. I mean to ask Virtual intf. & VIP has no problems working on the same TRUNK interface?
    3. I understand that Fate sharing and critical service helps full failover (client & server side).
    As an upstream router or L3 switch fails or the upstream connecting gigabit interface on CSS fails, the failover happens.
    Will the same be applicable to downstream L2 switch & CSS interface failure? If any of these on the downstream fails will the CSS failover to the standby unit.
    I think this above should work, just need confirmation coz I have not done this before.
    Thanks a lot again,
    Gagan

  • Transaction code to create virtual interface.

    I want to create a web service from a RFC. For that first, virtual interface needs to be created which will be linked to the RFC. Can u please tell me what is the transaction code to create a virtual interface.

    Thankx for ur reply.
    Now I have created the Web service. To do this I have done the followings-
    1. created one RFC enabled Function Module.
    2. Created one virtual interface
    3. Created Web service defination.
    4. Released Web service from the wsconfig transaction.
    Then from The transaction wsadmin I have opened the browser by clicking Web Service > Web Service Homepage (from menu)
    After logging in it , shows the web service and RFC with in it. Now after clicking the Test link from the browser it asks for the parameter of the RFC. But After populating the parameters and clicking send button. it gives NullpointerException.
    exact err message  is --
    An error has occurred. Maybe the request is not accepted by the server:
    java.lang.NullPointerException

  • WLC: which software-version support SHA2 certificates for Web Authentification and Web Management ?

    Hello,
    I tried to install new SHA2 3th-Party certificates on our WLCs. There are old WiSM1-Boards and 2504 to support our old 1230 Access Points, running 7.0.251.2, which didn't install it, although the config manual for 7.6 and 8.0 say that SHA2 certificates are supported since 7.0.250.0. When I tried to install the SHA2-certificates I get the message "File transfer failed" an the log says:
    *TransferTask: Dec 12 13:22:14.394: #UPDATE-3-CERT_INST_FAIL: updcode.c:1869 Failed to install Webauth certificate. rc = 1
    *TransferTask: Dec 12 13:22:14.394: #SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4085 Cannot PEM decode private key
    I tried to install the same certificates on our WiSM2-Boards, running 7.4.121.0 and I failed too. The same certificates could be installed on a 2504 running 8.0.100 without any problems.
    In all 3 cases I tried to install unchained certificates for web management and Level 3 chained certificates  for web authentication. I used the following guides to get the certificates (e.g. taken from the config manual 8.0.100):
    http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.pdf
    Which software versions support SHA2 certificates and which didn't ? Is the a list for it ?
    Regards

    Hello,
    I solved the problem. First I used a Debian Linux system with Openssl 1.0.1. After I searched the internet using one of the log messages above I found sites which mentioned to use Openssl 0.9.x. So I tried a productive and security fixes Debian Linux System running Openssl 0.9.8 and I succeeded. The wlcs accepted the certificate files and used it after a reboot. The Web GUI still shows a SHA1 Fingerprint, but the certificate signature Algorithm is SHA2:
    Signature Algorithm: sha256WithRSAEncryption
    When you check the openssl.org homepage Openssl 0.9.8 is still one of the actual version of openssl and is still available and fixed. But the Openssl Roadmap says:
    "We don't want to have to maintain too many branches. This is likely to include a timescale for the EOL of version 0.9.8"
    I don't know the differences between certificates made with openssl 0.9.8 and 1.0.1. Is there anybody who can explain it to me ?
    Regards

  • Errors in Virtual interface after editing application service

    Hi all,
    I have an external service in CAF which connects to the backend to an RFC.
    This external service is being used by an application service.
    I recently added an extra import parameter to the RFC in the backend. So in CAF I deleted my old external service and imported the
    RFC again with the correct import parameters.
    In the Application Service I added an extra import parameter to the input node of the corresponding operations in which the external service is being used. And I inserted a line of code to fill in the correct value in the import parameter.
    After doing this and saving the CAF project a lot of errors are being generated in the ejbmodule of the caf project. (in the Virtual Interface files <servicename>.videf)
    Errors like:
    Type com.spe.portal.foa_serv.appsrv.datatypes.AddressDS of field addressDS0 in type com.spe.portal.foa_serv.appsrv.datatypes.BPartnerLightDS_R has been exchanged by type com.spe.portal.foa_serv.appsrv.datatypes.AddressDS_R
    These errors even occur in the VIs of the services that I didn't change.
    Can somebody tell me what the Virtual interface is for and why they are throwing these errors,
    Thanks
    Kr
    Wouter

    Hi Wouter,
    A virtual interface ia actuallly a xml-file with a description of all the operations and fields of de webservice.
    To solve your problems: go to the navigator view, select the <CAFname>EJB project, navigate to the <servicename> folder under the ejbModule folder.
    Open the wsdef file with the WSD editor and push the button Edit VI....
    Remove the operations under <servicename>Bean and add them again using the buttons below the pane.
    Save and rebuild your work and everything should be ok.
    Hope this helps.
    Regards,
    Alain

  • Client Excluded ReasonCode on WLC for Web Auth

    Hi.
    I wonder if you can point me at a table that defines the Reason Code(s) for Client Exclusion Failure? See the example event log entry below from a Guest Controller for Web Authentication failure (that was resolved - Internet router down) but I was wondering if the Reason Codes would be useful in troubleshooting. Many thanks in advance.
    Tue Aug 28 10:45:31 2007 Client Excluded: MACAddress:00:16:6f:b3:20:0a Base Radio MAC :00:00:00:00:00:00 Slot: 0 Reason:Web Authentication failed 3 times. ReasonCode: 4

    I haven't tried it recently. But I'm afraid of this one :
    CSCsy88149 Chained certificate can not have Wildcard * character in hostname
    Even if bought at verisign or any root CA, your cert has a good chance of being chained since they very often use an intermediate CA. I know wildcard certs are supported but this bug seems to say that it doesn't work for chained.
    again, I didn't verify it mysefl

Maybe you are looking for

  • Macbook keyboard and trackpad/crashing/time date reset

    A few days ago my 2011 macbook pro running Mountian Lion (fully up to date) started crashing. Nature of crash : Screen freezes, If audio was playing it would stutter for about 4 seconds, then the computer would switch off. When turned back on I would

  • Just loaded v5.0. Why can I not open a link in the current tab as is usual?

    Left click does nothing with hot links. Right click only allows me to open the page in a new tab or window.

  • MacBook freezes on startup

    Problem: MacBook freezes with the blue background and "Mac OS X" dialogue box upon startup. What I've done about it(without success): Turned it on while pressing the "Option" key, clicked on the image of HD that comes up, but to no avail. Still freez

  • Several scripts calling one application...

    I'm setting up several stay-open applescripts. Each watches its own hotfolder for incoming PDFs, then tells Photoshop to process the files as needed, and ultimately saves each as a new file. Sometimes, when two or more of these scripts call on Photos

  • BAPI_NETWORK_COMP_ADD problem in quanity update

    Hi, I am using this BAPI - BAPI_NETWORK_COMP_ADD to add material and quantity to network  (Similar to t-code CN22). This program is sheduled to execute at night Everything works fine but sometime when no of materials are more (above 20) it does not u