Cisco Wireless :: Putting A Certificate On 5508 WLC For Webauth?
Feb 12, 2013
I am using webauth and need to install a SSL cert to prevent the "There is a problem with this website's security certificate" message. I have a Wildcard cert that was issued by Network Solutions that I use on a couple web servers I run, and want to know if I can use that for the WLC? It's a pks cert and I think the WLC needs to use a pem cert, so I converted the wildcard to pem. Or do I need to purchase a cert that is not a wildcard and is in pem format?
I'm trying to install a webauth certificate -- it works fine when unchained, however once I add the additional information the installation fails. I am using the same root and intermediate certificate information as last year, and it worked fine then. I can recreate last year's pem file with the chained information and it installs fine, so it's only when I include the new device certificate information that it fails. The certificate installs fine when it's not chained, I'm not receiving any openssl errors, and I'm not using openssl 1.0.
We have disabled the WebAuth SecureWeb on our 5508 WLCs so Guest users can access the guest splash page without the certifiacate error. The controllers are currently running 7.3.112.0. Everything works fine with the WebAuth SecureWeb enabled, but once we disable the guest users are not redirecting to the splash page anymore. I remember having to reload the controller in the past to disable HTTPS completely, but is this still the case? I don't see any documentation supporting the need to reload.
We are trying to get the waep template (default no changes) from the Cisco WebAuth bundle to work on a 5508 controller.
We've setup the controller to use the custom login.tar that comes with the waep template folder in the bundle. We setup the WLAN to work off the global template and we used the config network web-auth secureweb disable command to allow only http rather than https (which is supposed to work in 7.2 code)
When we test with the custom bundle, we get no answer from the controller, just a url of [URL]
If we turn custom off, and use internal everything works...
Just to be clear.. we aren't looking for authentication (user and pass) we are trying to do the enter your email and click accept to the aup method.
I have a new fresh 5508 release 7.0.98.0 When I try to download (I mean upload to the controller) a customized Webauth bundle in .tar format I have the following message error in the syslog :*TransferTask: Oct 29 12:56:08.894: %UPDATE-3-UNTAR_CMD_FAIL: updcode.c:2832 Error during untar of webauth bundle. Tar returned 256.
I have in the past downloaded the webauth bundle to a wlc 5508 running 7.0.98 successfully. I am trying to upload a new bundle after modifying the AUP but I get an error after the download to the wlc.
The error with FTP or TFTP is % Error: Webauth Bundle file transfer failed - Unknown error - refer to log
I've tried to copy the unmodified bundle from the zip and get the same error so I don't think it's the login.tar file.
i am getting an error during the Upload of Login page for WLC 5508 customized.After the upload is completed i receveid the error "Error extracting webauth files."I tried to create the file *.tar with different program (winrar, 7zip, gnu tar, etc)
Have WLC 5508 running 7.4 code; have wlan setup to allow access to internal network. Users on ipads should be able to connect to this wlan and authenticated via certificate instead of PSK. We have setup laptops that are part of domain to use internal CA for authentication to WLAN. Ipads are not part of domain so we are not able to use the same model, or can we use the same model for authentication?How to setup WLC to authenticate ipad users via certificate instead of PSK while connecting to the WLAN?
get a installed certificate work on a 5508 WLC Controller without rebooting. Is there a way? Is it possible to just reload a process to get the certificate work?
I have just setup a vWLC for lab purposes and it´s up and running. I have a few used 1131 LAP:s that tries to join the AP but I just get DTLS certificate errors like these:
*Sep 14 13:25:27.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Sep 14 13:25:27.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Sep 14 13:25:36.198: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Sep 14 13:26:41.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.105 (code)
These AP:s (I have tried 2 so far) have earlier been in use connected to a cluster of 5508:s.
I am planning to migrate from an old 4400 to a new 5508. I am happy with migrating the access points but I need to know if I can migrate the web authentication certificate used for guests.The new WLC will have the same virtual interface and DNS name to match the CN on the current certificate. Will this work or will I need a new certificate?
I have 3 WLC 5508 and a NAC guest server. We want to download a wildcard certificate after a few seconds at the download of this certificate I got the failure message download failed.
Accept the WLC wildcard certificates or must I generate a SAN (Subject Alternative Name) Certificate.
When a guest user first trys to access the "guest" WLAN, they are presented with a "certificate page" before the web athentication page / login is presented. The WLC forces an internal redirect to https://1.1.1.1 causing the certificate page to appear. Can this be bypassed? I am runiing 5508 with 7.0.220.0.
We are moving forward with a mobility project which requires our network to authenticate/authorize based on certificates.
WLAN_1 has 802.1x enabled passing the cert through to the MS CA which authorizes the cred, which in turn passes the AD creds of the user to the MS RADIUS server for authenticate/authorization.
Hardware: WLC 5508 running 7.2.110.0 3600 APs ACS 5.2 not used for AAA
1. As we turn up additional SSIDs, we need Mobile SSID to accept ONLY the Mobile Cert, our Internet SSID to only accept the Internal Cert and our GUEST SSID to deny ANY Cert issued by our CA.I know ISE makes this much easier, but I dont have it and need this to work as best we can until next fiscal cycle..
- 5508/1142 - heterogenous Client with WZC, XP, SP3, SSO - ACS 5.2, MS AD
Target is Songle Sign On wih Machine Cerificates against AD. For testing purpose we tested with EAP-PEAP/MS Chapv2 and Machine Auth, works fine. Now we installed a Machine cert in the Machine cert Store (no User Cert) and reconfigured the WZC for using certs and Machin Auth. What we see is an Error Message in the System Tray that there is no certificate available. We checked it again, the MMC shows us a Machine cert in the Store.
I have two Cisco WLC 5508 controllers that I'm trying to set-up for our new corporate WLAN. I've gone through most of the configuration fine but have ran into an issue uploading a signed certificate to one of my controllers. I should point out that I have managed to upload the certificate successfully to one of the controllers, I just can't seem to upload it to the second.The issue is as follows:
- I've logged into the controller, gone to Security -> Web Auth -> Certificate -> Download Certificate - I've specified my tftp server details and selected apply - the process begins and I can see through my tftp client that the controller is attempting to copy and install the certificate - The controller tries to install the certificate but fails, reporting the same
We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.Windows clients cannot connect to 802.1x SSID with the following error on ISE:Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
The client doesn't have preconfigured wifi profile or root certificate installed.The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
p.s. the attached file shows the example of pop up TLS-alert window
I would like to get webauth bundle sample to create custom page for our AP controllers but I'm unable to find the sample .tar within the WCS itself.Some other WCS manuals has references in them that says there should be link to download sample from WCS but clearly 2106 hasn't got one.There's one in download section "webauth bundle 1.0.2.zip" but this is for registered partners and costumers, we are not registered as partners and cannot download the sample ourselves.
I have a Dell Wireless Router, yes I know terrible lmao but was free a laptop I bought my sister. Anyways, it does not seem to be putting out a wireless signal.However if hook an ethernet cord from the modem, to my parents pc, eliminating the router completely, the internet works, this is how the set up usually is. I have my pc upstairs with a wireless card and have never had problems until now.When I hook up the wireless router, the internet light, lights up etc. But on the main computer that is hardwired, loses internet. It just has "Limited Connectivity".I tried resetting, powering off, restarting. I tried to set up a new wireless network and the computer cannot find any wireless devices. My computer upstairs cannot find a wireless network either.We also have a wireless "Roku" box which is netflix, this works off wi-fi, but this also cannot get a wireless connection.
Ive tried typing in the routers ip just guession that is the 192.168.1.1, I have tried a bunch of others but cannot get into my routers settings. I am trying to get into those router settings thru my browser, Im trying to figure out the ip. However if I hook my router up I lose internet so i am un-able to do that.I build PC's and service them, but networking is where my expertise end.
i've upgraded our WLC 5508 from 7.0.220 to 7.2.115.1.For our guest WLAN we use web authentication with customized startpage, no login error page and no logout page. The customized login page is displayed correctly. After successful authentication the browser is forwarded to the default CISCO login page "login.html". No further autentication is possible, also no internet access.Reload the customized webauth bundle to the controller didn't change anything. Is there a change in the HTML/Java code of this controller version? I didn't find any hint in the release notes. Or do I need the newer web authentication bundle with version 1.0.2?
I have a problem putting a Cisco 1141 AP in repeater mode with a AP HP Procurve.Root AP is a the Procurve, but when try to put the Cisco AP with same SSID, Authentication, etc, I receive this error:
%DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: NO Aironet Extension IE
I try disable the Aironet Extensions and always get the same error all time. It's possible connect both APs?
I would like to know if it is feasible to put those Aironet AP with internet antenna like AP1142 / AP1042 in a enclosure box (Like IP66 grade) box. Will those enclosure box absorb the Radio signal from the AP? or the Radio signal can still survive after passing the box but the Signal Strength be degraded only?
I've installed a Cisco Wireless LAN Controller (4402) with six access points (AIR-LAP1131AG-E-K9) and created two WPA2 protected WLAN SSID's (e.g. internal and guest) and everything works fine.
The WLAN SSID named Guest, should be used for externel people. This SSID aditonal WebAuth. This also works fine, the guest receive a WPA2 key and username/password for WebAuthentication. But this works at this point only when they user WirelessLAN.
Now my Question: Is it possible to provide the setup also to the wired network using the WLC?
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
I have 2 5508s (foreign and anchor both running 7.2.110.0) with an open WLAN configured via mobility anchors. This configuration works and has no problems. My next task is to incorporate a webauth page (accept/reject) to present the clients with AUP information, etc. On the foreign controller I created a test WLAN (open) and setup webauth Passthrough using the Cisco webauthbundle (wap.html), this works as intended, no issues. However I am at a loss as to how to incorporate the webauth Passthrough functionality on the WLAN that is configured for the mobility anchor.
Recectly we replaced Cisco 2100 Series LAN controller to Cisco 5508 Wirless LAN controller , I downloaded WebAuth Bundle from my Old LAN Controller ,when i am trying to upload to my New Wireless LAN controller ,its not uploading and also it gave me uploading failure error message .
I am in the process of adding a lot of servers to sit behind our new ASA 5505 (8.4) firewall. At the moment I have added 2 servers and they are both NAT'ed to 2 different public IPs.
Server 1 192.168.10.1 -> 80.*.*.1 Server 2 192.168.10.111 -> 80.*.*.6
The first server can only be RDP'ed in to using its public IP which is what I want it to do. The second one has most of the service ports open like 443, 80, 110, 25 and etc. However when I try and browse externally to [URL]. I get an " Error 107(net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error." in Google Chrome or any other browser. and the ASA reports:11:27:30192.168.10.111262680.*.*.6443Inbound TCP connection denied from 192.168.10.111/2626 to 80.*.*.6/443 flags SYN on interface inside and I also get a Land to Land attack detected from 80.*.*.6 to 80.*.*.6
Is it worth setting up a DMZ or can I get away with the setup I have?
rvl200 is not working with any new os/java. cisco is not fixing and telling us to move on.picked up a vpn server and placed it on the dmz for rvl200 (on 192.168.1.105). for the life of me, can not get traffic from the outside to go to this server. tried port forwarding on rvl200 (for 443) which is what the vpn server recommends. rvl200 is not allowing this. can not go through the ssl vpn on rvl200 since it does not work. looked at rv042 topics and it shows similar problems.
How to restrict my Router by putting in a Pass word so my neighbours could be stopped using my highspeed internet and thus makinit weaker for my household.
I am an administrator and my co-worker keeps on going on you tube during work. Is there any way to make his computer only use up 20KB per second instead of 150 KB per second?
I understand that Cisco have at long last provided a facility to separate HTTP web authentication from HTTPS WLC management on WLC code 7.2.x for the new 5500 series WLCs.
My question is does Cisco intend to provide the same much needed functionality on the 4400 series WLCs that are running 7.0.x code? I was looking through the release notes for v7.0.235.3 code and that did not seem to mention this functionality. I know we can get around the problem by purchasing an SSL certificate so that guest users with web authentication do not have to see the same security warning each time they log in but the idea to separate the HTTP web authentication from HTTPS WLC management seems so much simpler.
