I had to set up a client to use local Webauth for their guest wireless network the other day during a migration from AIROS to the 9800 WLC.
So this should be as easy as how its done on the AirOS platform right, well it turns out that the 9800 platform doesn’t have complete feature parity in 16.x code. The 9800 platform can only deliver the dreaded captive portal as HTTPS and not HTTP. This leads to the client seeing the you are trying to access a potential security risk page

Now as much as I think a captive portal is a terrible experience for the end user, having a end user be hit with a message saying that its a potential security risk is bad.
So what is the solution? Well there are a couple:
- Utilise Central Web Auth Instead
- Deploy a public certificate to the 9800 to use for LWA.
Now in this customers setup going down path 2 was a lot easier than getting everything setup for CWA. So this should be easy to install a certificate right you just follow the Cisco documentation right? Well partially true, in fact I followed it, had a colleague follow it and neither of us could make it work.
So I logged a TAC case to ensure I wasn’t hitting a bug, or the miss reading the documentation and after an hour we found this line in the doco wasn’t telling the truth:
Note: In case you have several level of CAs, you must here paste the issuing CA certificate, i.e. the CA that issued your device certificate and only that one, not the chain. You will then need to create a trustpoint for each extra level of CA and repeat this step 4 only for each of those trustpoint (i.e. authenticate a CA for each level)
Turns out the CA that my security guys generated the certificate with had an intermediate CA, so going off the line above you need to do multiple trust points well that was wrong. What I had to do was chain the Root and intermediate CAs together.
So the process turned out to be this:
If you looking for a good post on how to actually configure local Web Auth with the 9800’s then my friends over at WIFI Ninjas have already done a great job of it here
As a side not I can’t remember who in the WIFI community gave this recommendation, but if your after a free SSL certificate to try this out in your own lab then check out https://zerossl.com/
Thanks, that helped me.
Note: In case you have several level of CAs, you must here paste the issuing CA certificate, i.e. the CA that issued your device certificate and only that one, not the chain. You will then need to create a trustpoint for each extra level of CA and repeat this step 4 only for each of those trustpoint (i.e. authenticate a CA for each level)
This part from Cisco is really confusing.
LikeLike
Yes it was really confusing, I spent an hour on with TAC to have them even confused how to do this
LikeLike