Friday, June 5, 2015

Configuring a Cisco Wireless Controller to redirect to a URL instead of 1.1.1.1 for web page authentication

I don’t usually deal with Cisco wireless controllers aside from setting AAA / RADIUS authentication but I was recently asked to complete the process of requesting a certificate from a public Certificate Authority to secure the web page sign-in page presented by a Cisco WLC 5508 wireless controller. For more information about generating a CSR and completing the certificate process, see my previous post:

Generating SSL certificate with OpenSSL for Cisco Wireless Controller
http://terenceluk.blogspot.com/2015/03/generating-ssl-certificate-with-openssl.html

After completing the certificate process, I noticed that a certificate warning would still be presented when the user is redirected to the web logon page and that’s because the WLC redirects the user to the URL https://1.1.1.1 and we all know that we cannot issue a certificate with the name 1.1.1.1.  The Cisco documentation found here: http://www.cisco.com/c/en/us/td/docs/wireless/controller/5-1/configuration/guide/ccg51/c51users.html also does not provide a clear way of handling this issue.  With a big of digging around in the WLC administration page, I was able to locate where to set the URL that will be used for redirecting traffic and the configuration is located here:

Click on the Controller tab:

image

Click on Interfaces then on the virtual Interface Name:

image

The DNS Host Name field is where you would enter the URL used for redirecting traffic:

image

You can use a URL such as wlc.domain.com for the redirection:

image

With the URL out of the way, the last problem is how we can handle resolving the URL to the IP address 1.1.1.1 which presents the login page.  A bit of searching on Google brought me to the following post:

WebAuth: WLC Certificate 1.1.1.1 without DNS entry for virtual interface
https://supportforums.cisco.com/discussion/11145901/webauth-wlc-certificate-1111-without-dns-entry-virtual-interface

Basically what’s suggested is to create a public DNS A record that maps wlc.domain.com to the IP address 1.1.1.1.  From here, I went ahead and created the A record and was immediately able to get the URL to match the certificate as well as properly getting redirected to the 1.1.1.1 IP address presenting the web page.

No comments: