The Cisco Wireless Lan Controllers have an internal https server which is enabled by default for web administration & web policy.
It provides SSL encryption between wireless clients and the WLC to protect Web Authentication credentials.
The Problem:
End users receive a Security Warning then accessing the Web Policy page on WLC (trying to get guest access) A self-signed certificate is installed on the WLC by default.
You can accept the warning and carry on but this action concerns guest users.
The Solution:
You can either disable the https encryption (not a good idea) as this means any credentials used will be passed in clear text.
Or you can deploy a 3rd party certificate signed by a public certificate authority.
This Tutorial will explain how to install a 3rd party ssl certificate on a cisco wlc for guest access.
1# Generate CSR using OpenSSL
The first step in the process is to generate a Certificate Signing Request (CSR) which is what you send of to the Certificate Authority to purchase your signed certificate.
You will need to ensure your wireless lan controller is running code version 5.1.151.0 or higher
You will also need a version of OpenSSL
OpenSSL Version 0.9.8 is the recommended version; however, as of Version 7.5, support for OpenSSL Version 1.0 was also added.
(Refer to Cisco bug ID CSCti65315 – Need Support for certificates generated using OpenSSL v1.0).
For this tutorial I will be using version 0.9.8 and running it on windows 7 as it that is what I currently have installed on my laptop.
You can download Open SSL for Windows from here and for Linux from here
Once you have installed OpenSSL navigate to where you have installed it – for me I put it in C:\openssl
Change directory to /bin and then run openssl by typing openssl
Next issue the following command
req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem
At this point you might get this error
unable to load config info from /user/local/ssl/openssl.cnf
To fix this you can download a sample openssl.cnf file from here.
Save the file in C:\openssl
Then run the command to generate the CSR again but this time specifying the full path to the openssl.cnf file
req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem -config C:\openssl\openssl.cnf
You should now be looking at this screen
Now you need to enter the requested information Yours will be specific to your company.
Country Code: GB
Sate or Province Name (I skipped this one)
Locality Name: London
Organization Name: (This is the name of the Company for which you need the certificate – you can get the exact information from the DNS lookup of the domain name of external facing internet.
Orgainizational Unit Name: IT (I always put IT in here)
Common Name: This is the important one
The common name is the DNS name that you have specified on the virtual interface of the wireless controller.
e.g guest-wireless.companyname.com
Email Address: (Email of the person responsible for certificates)
You can then specify a password if you want
Just hit enter if you want to skip this step.
You should now be back to the OpenSSL> prompt and you should have 2 files in your C:\openssl\bin folder
In my case myreq.pem and mykey.pem
The myreq.pem file is the request that will be sent to the CA
The mykey.pem is the key file which will be used once the cert arrives.
Now you need to purchase your SSL Certificate. There are many suppliers out there but if you want to try this out there are many that offer a free cert for up to 90 days.
This is perfect if you want to test out the process before spending any money, if it works then you can purchase a 3 year certificate.
I have been using Comodo – https://ssl.comodo.com/free-ssl-certificate.php
You just need to open up the myreq.pem file with notepad and copy the contents of the file into the certificate request.
You need to copy all the text which will look like this.
—–BEGIN CERTIFICATE REQUEST—–
MIIDUDCCArkCAQAwdTEWMBQGA1UEAxMNdGVzdC50ZXN0LmNvbTESMBAGA1UECxMJ
TWFya2V0aW5nMREwDwYDVQQKEwhUZXN0IE9yZzESMBAGA1UEBxMJVGVzdCBDaXR5
(data removed for security)
Rq+blLr5X5iQdzyF1pLqP1Mck5Ve1eCz0R9/OekGSRno7ow4TVyxAF6J6ozDaw7e
GisfZw40VLT0/6IGvK2jX0i+t58RFQ8WYTOcTRlPnkG8B/uV
—–END CERTIFICATE REQUEST—–
Chaining your certificates
When you receive your signed certificates back from the certificate authority you have to chain them together you should receive 3 or 4 files,
- Device Certificate
- Intermediate Certificate
- Root Certificate
In the case of Comodo I received 4 files
The Device certificate was the guestwireless_rogerperkin_co_uk file
The Intermediate was both the Comodo files
The Root Certificate was the AddTrustExternalCARoot file
If you are unsure of which files are which contact the tech support of the CA and they are usually very helpful.
Create All-certs.pem file
Now you need to open each file in turn in the order of Device, Intermediate and Root and paste them into one document as below
—–BEGIN CERTIFICATE REQUEST—–
** Device Cert Info **
—–END CERTIFICATE REQUEST—–
—–BEGIN CERTIFICATE REQUEST—–
** Intermediate Cert Info**
—–END CERTIFICATE REQUEST—–
—–BEGIN CERTIFICATE REQUEST—–
** Root Cert Info **
—–END CERTIFICATE REQUEST—–
Now save this file as allcerts.pem
GoDaddy SSL Certificates
For information if you use godaddy.com you will receive back 2 files a Root Certificate and a combined certificate.
You need to copy the contents of the combined cert into notepad followed by the root and save this file as all-certs.pem
Whichever method you choose you will end up with a file called all-certs.pem
Move this file into the C:\openssl\bin folder where you should still have the mykey.pem file
Now you need to go back into OpenSSL so you are back at this screen
Now enter the following command
pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:check123 -passout pass:check123
Followed by this command
pkcs12 -in All-certs.p12 -out final.pem -passin pass:check123 -passout pass:check123
You should get a MAC verified OK message at the end
You now have your final SSL certificate called final.pem which you need to upload to the WLC
NOTE: check123 is a password and can be any value you want, it is used when uploading the certficiate to the WLC
The easiest method is to go to Security / Web Auth / Cert
Tick the box that says download SSL Certificate
Enter the IP address of your TFTP server, the path and filename and the password you created above, in this case check123
The certificate will be uploaded and you will see all the details of your certificate on the screen.
The controller will have to be rebooted for certificate to take effect.
Update DNS
One final step is to update your DNS with the entry of the information on the Virtual interface.
If your guest clients resolve their DNS externally this needs to be done on your external DNS
A simple A record defining 1.1.1.1 (or whatever IP you have on your Virtual interface) pointing to the name you configured on your virtual interface and also have in your certificate e.g guest-wireless.companyname.com
That should be it. When guest users connect to your guest network they will no longer be prompted with a certificate error.
There are two very good videos from Cisco here which describe the process
Part 1
Part 2
Roger Perkin - CCIE #50038 is a Network Automation Engineer & CCIE Consultant based in the UK, currently working for Softcat Plc as a Senior Network & Security Consultant.
Rogers' CCIE Journey | About Roger | Contact | Twitter | Linkedin
