9800 – Local WebAuth Certs

I had to set up a client to use local Webauth for their guest wireless network the other day during a migration from AIROS to the 9800 WLC.

So this should be as easy as how its done on the AirOS platform right, well it turns out that the 9800 platform doesn’t have complete feature parity in 16.x code. The 9800 platform can only deliver the dreaded captive portal as HTTPS and not HTTP. This leads to the client seeing the you are trying to access a potential security risk page

Now as much as I think a captive portal is a terrible experience for the end user, having a end user be hit with a message saying that its a potential security risk is bad.

So what is the solution? Well there are a couple:

  1. Utilise Central Web Auth Instead
  2. Deploy a public certificate to the 9800 to use for LWA.

Now in this customers setup going down path 2 was a lot easier than getting everything setup for CWA. So this should be easy to install a certificate right you just follow the Cisco documentation right? Well partially true, in fact I followed it, had a colleague follow it and neither of us could make it work.

So I logged a TAC case to ensure I wasn’t hitting a bug, or the miss reading the documentation and after an hour we found this line in the doco wasn’t telling the truth:

Note: In case you have several level of CAs, you must here paste the issuing CA certificate, i.e. the CA that issued your device certificate and only that one, not the chain. You will then need to create a trustpoint for each extra level of CA and repeat this step 4 only for each of those trustpoint (i.e. authenticate a CA for each level)

Turns out the CA that my security guys generated the certificate with had an intermediate CA, so going off the line above you need to do multiple trust points well that was wrong. What I had to do was chain the Root and intermediate CAs together.

So the process turned out to be this:

9800wlc(config)#crypto pki trustpoint ewlc-cert
9800wlc(ca-trustpoint)#enrollment terminal pem
9800wlc(ca-trustpoint)#revocation-check none
9800wlc(ca-trustpoint)#subject-name C=AU, ST=VIC, L=MELBOURNE, O=The WLAN, OU=IT, CN=guest-thewlan.com.au
9800wlc(ca-trustpoint)#rsakeypair ewlc-keys
9800wlc(ca-trustpoint)#exit
9800wlc(config)#crypto pki enroll ewlc-cert
% Start certificate enrollment ..

% The subject name in the certificate will include: C=AU, ST=VIC, L=MELBOURNE, O=The WLAN, OU=IT, CN=guest-thewlan.com.au
% The subject name in the certificate will include: 9800wlc.thewlan.com.au
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:



—–BEGIN CERTIFICATE REQUEST—–
9800 Certificate
—–END CERTIFICATE REQUEST—–



—End – This line not part of the certificate request—



Redisplay enrollment request? [yes/no]: no

 

9800wlc(config)#crypto pki authenticate ewlc-cert



Enter the base 64 encoded CA certificate.
End with a blank line or the word “quit” on a line by itself



—–BEGIN CERTIFICATE—–
Intemedient CA Cert
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Root CA Cert
—–END CERTIFICATE—–

 

Trustpoint ‘ewlc-cert’ is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: 19958837 67084D46 3F5FEA0F B4022B1A
Fingerprint SHA1: DACFCA0E B5DF948C 7A6F79B6 D98513F2 5A5597F4



% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
<


9800wlc(config)#crypto pki import ewlc-cert certificate



Enter the base 64 encoded certificate.
End with a blank line or the word “quit” on a line by itself



—–BEGIN CERTIFICATE—–
Signed Cert
—–END CERTIFICATE—–

% Router Certificate successfully imported



9800wlc(config)#parameter-map type webauth global
9800wlc(config-params-parameter-map)#trustpoint ewlc-cert
9800wlc(config-params-parameter-map)#virtual-ip ipv4 192.0.2.1 virtual-host guest-thewlan.com.au
9800wlc(config-params-parameter-map)#end

If you looking for a good post on how to actually configure local Web Auth with the 9800’s then my friends over at WIFI Ninjas have already done a great job of it here

As a side not I can’t remember who in the WIFI community gave this recommendation, but if your after a free SSL certificate to try this out in your own lab then check out https://zerossl.com/

2 thoughts on “9800 – Local WebAuth Certs

  1. Jinesh Kaiprath

    Thanks, that helped me.

    Note: In case you have several level of CAs, you must here paste the issuing CA certificate, i.e. the CA that issued your device certificate and only that one, not the chain. You will then need to create a trustpoint for each extra level of CA and repeat this step 4 only for each of those trustpoint (i.e. authenticate a CA for each level)

    This part from Cisco is really confusing.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s