Security

Reply
Contributor I

Cisco WLC web-auth and ClearPass Guest

I've run into the common issue that the Cisco WLC web-auth by default uses a self signed cert for https.  While I understand that I could A) install a public CA cert, or B) change to http for web-auth I've run into the issue that both of these options require rebooting the WLC.

 

At this point I'm going to be forced to wait several weeks for a scheduled downtime to make this change.

 

Any chance there's some way around this that I'm missing?  Is there any configuration that would negate the need to display the https/http page from the WLC virtual interface in the users browser?

Aruba Employee

Re: Cisco WLC web-auth and ClearPass Guest

Every vendor seems to use a slightly different method for intercepting and redirecting to captive portals. Unfortunately, I've not found a way to avoid the Cisco WLC from using it's certificate as part of that redirect. Part of this is due to the authentication trigger, where the client posts back to the WLC to generate the authentication process. That will typically use/require https, again invoking the WLC's certificate to process.

 


Charlie Clemmer
Aruba Customer Engineering

Re: Cisco WLC web-auth and ClearPass Guest

If you use server-initiated instead of controller-initiated on CPPM, I believe you get around this as long as you have a valid cert on CPPM.

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Contributor I

Re: Cisco WLC web-auth and ClearPass Guest

I do have a valid cert on CPPM, that part is working well.  How do I move to server-initiated instead of controller-initiated?

 

Thanks!

New Contributor

Re: Cisco WLC web-auth and ClearPass Guest

I'd like to know this as well.  I have a similar problem.  We have guest registration for our guest wireless network.  Users join the guest wireless on our Cisco WLC.  They're redirected to clearpass, which has a trusted cert on the portal.  Guests register, receive temporary credentials, sign in, but are then redirected to the Cisco WLC page that says "login successful."  

 

But it uses its on self-signed cert for this, and some browsers force users to accept it as untrusted, or lately, Chrome won't even allow it so users never get in.  So is this a cert issue on the WLC? Or would the server-initiated setting on clear pass as previously mentioned fix it?

Contributor I

Re: Cisco WLC web-auth and ClearPass Guest

We eventually disabled https for web-auth on the Cisco WLC.  It did require a reboot so that was thoroughly inconvenient, but the decision was made at there was no real security risk.  The credentials for the guest network are all identical since we're doing anonymous auth.  There is really minimal risk presented by someone capturing them since they could have them legitimately anyhow.  

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: