I don’t usually deal with Cisco wireless controllers aside from setting AAA / RADIUS authentication but I was recently asked to complete the process of requesting a certificate from a public Certificate Authority to secure the web page sign-in page presented by a Cisco WLC 5508 wireless controller. For more information about generating a CSR and completing the certificate process, see my previous post:
Generating SSL certificate with OpenSSL for Cisco Wireless Controller
http://terenceluk.blogspot.com/2015/03/generating-ssl-certificate-with-openssl.html
After completing the certificate process, I noticed that a certificate warning would still be presented when the user is redirected to the web logon page and that’s because the WLC redirects the user to the URL https://1.1.1.1 and we all know that we cannot issue a certificate with the name 1.1.1.1. The Cisco documentation found here: http://www.cisco.com/c/en/us/td/docs/wireless/controller/5-1/configuration/guide/ccg51/c51users.html also does not provide a clear way of handling this issue. With a big of digging around in the WLC administration page, I was able to locate where to set the URL that will be used for redirecting traffic and the configuration is located here:
Click on the Controller tab:
Click on Interfaces then on the virtual Interface Name:
The DNS Host Name field is where you would enter the URL used for redirecting traffic:
You can use a URL such as wlc.domain.com for the redirection:
With the URL out of the way, the last problem is how we can handle resolving the URL to the IP address 1.1.1.1 which presents the login page. A bit of searching on Google brought me to the following post:
WebAuth: WLC Certificate 1.1.1.1 without DNS entry for virtual interface
https://supportforums.cisco.com/discussion/11145901/webauth-wlc-certificate-1111-without-dns-entry-virtual-interface
Basically what’s suggested is to create a public DNS A record that maps wlc.domain.com to the IP address 1.1.1.1. From here, I went ahead and created the A record and was immediately able to get the URL to match the certificate as well as properly getting redirected to the 1.1.1.1 IP address presenting the web page.