Security

I've run into the common issue that the Cisco WLC web-auth by default uses a self signed cert for https.  While I understand that I could A) install a public CA cert, or B) change to http for web-auth I've run into the issue that both of these options require rebooting the WLC.

 

At this point I'm going to be forced to wait several weeks for a scheduled downtime to make this change.

 

Any chance there's some way around this that I'm missing?  Is there any configuration that would negate the need to display the https/http page from the WLC virtual interface in the users browser?

Every vendor seems to use a slightly different method for intercepting and redirecting to captive portals. Unfortunately, I've not found a way to avoid the Cisco WLC from using it's certificate as part of that redirect. Part of this is due to the authentication trigger, where the client posts back to the WLC to generate the authentication process. That will typically use/require https, again invoking the WLC's certificate to process.

 

If you use server-initiated instead of controller-initiated on CPPM, I believe you get around this as long as you have a valid cert on CPPM.

I do have a valid cert on CPPM, that part is working well.  How do I move to server-initiated instead of controller-initiated?

 

Thanks!

I'd like to know this as well.  I have a similar problem.  We have guest registration for our guest wireless network.  Users join the guest wireless on our Cisco WLC.  They're redirected to clearpass, which has a trusted cert on the portal.  Guests register, receive temporary credentials, sign in, but are then redirected to the Cisco WLC page that says "login successful."  

 

But it uses its on self-signed cert for this, and some browsers force users to accept it as untrusted, or lately, Chrome won't even allow it so users never get in.  So is this a cert issue on the WLC? Or would the server-initiated setting on clear pass as previously mentioned fix it?

We eventually disabled https for web-auth on the Cisco WLC.  It did require a reboot so that was thoroughly inconvenient, but the decision was made at there was no real security risk.  The credentials for the guest network are all identical since we're doing anonymous auth.  There is really minimal risk presented by someone capturing them since they could have them legitimately anyhow.  

IF you disable https, do you still have Cisco WLC intercepting https traffic? What will happen when the user opens his browser and types https link? would he be redirected by Cisco WLC although https is disbaled?