Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Cisco WLC web-auth and ClearPass Guest

  • 1.  Cisco WLC web-auth and ClearPass Guest

    Posted Apr 06, 2018 08:21 AM

    I've run into the common issue that the Cisco WLC web-auth by default uses a self signed cert for https.  While I understand that I could A) install a public CA cert, or B) change to http for web-auth I've run into the issue that both of these options require rebooting the WLC.

     

    At this point I'm going to be forced to wait several weeks for a scheduled downtime to make this change.

     

    Any chance there's some way around this that I'm missing?  Is there any configuration that would negate the need to display the https/http page from the WLC virtual interface in the users browser?



  • 2.  RE: Cisco WLC web-auth and ClearPass Guest

    Posted Apr 06, 2018 10:47 AM

    Every vendor seems to use a slightly different method for intercepting and redirecting to captive portals. Unfortunately, I've not found a way to avoid the Cisco WLC from using it's certificate as part of that redirect. Part of this is due to the authentication trigger, where the client posts back to the WLC to generate the authentication process. That will typically use/require https, again invoking the WLC's certificate to process.

     



  • 3.  RE: Cisco WLC web-auth and ClearPass Guest

    Posted Apr 06, 2018 01:19 PM
    If you use server-initiated instead of controller-initiated on CPPM, I believe you get around this as long as you have a valid cert on CPPM.



  • 4.  RE: Cisco WLC web-auth and ClearPass Guest

    Posted Apr 06, 2018 01:44 PM

    I do have a valid cert on CPPM, that part is working well.  How do I move to server-initiated instead of controller-initiated?

     

    Thanks!



  • 5.  RE: Cisco WLC web-auth and ClearPass Guest

    Posted Oct 05, 2018 03:28 PM

    I'd like to know this as well.  I have a similar problem.  We have guest registration for our guest wireless network.  Users join the guest wireless on our Cisco WLC.  They're redirected to clearpass, which has a trusted cert on the portal.  Guests register, receive temporary credentials, sign in, but are then redirected to the Cisco WLC page that says "login successful."  

     

    But it uses its on self-signed cert for this, and some browsers force users to accept it as untrusted, or lately, Chrome won't even allow it so users never get in.  So is this a cert issue on the WLC? Or would the server-initiated setting on clear pass as previously mentioned fix it?



  • 6.  RE: Cisco WLC web-auth and ClearPass Guest

    Posted Oct 08, 2018 08:24 AM

    We eventually disabled https for web-auth on the Cisco WLC.  It did require a reboot so that was thoroughly inconvenient, but the decision was made at there was no real security risk.  The credentials for the guest network are all identical since we're doing anonymous auth.  There is really minimal risk presented by someone capturing them since they could have them legitimately anyhow.  



  • 7.  RE: Cisco WLC web-auth and ClearPass Guest

    Posted Nov 15, 2019 01:16 PM

    IF you disable https, do you still have Cisco WLC intercepting https traffic? What will happen when the user opens his browser and types https link? would he be redirected by Cisco WLC although https is disbaled?