In this post we will see how to install a WebAuth certificate on a 5760 controller. This will help to prevent Guest Users prompting with SSL error when they are trying to authenticate to a guest portal.
First task is to obtain a CSR (Certificate Signing Request) for the 5760. Since 5760 cannot do this by itself you have to use a software like OpenSSL. I have used Win64 OpenSSL v0.9.8za Light since my PC is 64bit version. ( You can refer Configuring EAP-TLS on a WLC post for a 32bit version working OpenSSL). Here is the screenshots of OpenSSL installation wizard.
Once the installation completed you can open a command prompt (All Programs -> Accessories ->Right Click on Command Prompt -> Run as Administrator). Then you can generate the CSR (5760-1111req.pem) with the PrivateKey(5760-1111key.pem) as shown below. You have to use FQDN as the name correspond to your 5760 virtual IP address
Once you do this you would see those two files in C->OpenSSL->bin folder. Then you can use CSR(in my case 5760-1111req.pem) to your Certificate Authority to generate a certificate. Once your request approved, you will get your digital certificates in different format. Here is what I got from CA.
Then I downloaded PKCS#7 Base64 encoded format of the certificate. Since 5760 Configuration guide documented installing certs inn PKCS12 format as shown below I have converted my cert in to that format.Here how you can convert it to PKCS12 format. I have renamed my downloaed cert from CA as “webauth-guest.p7b” & used that to generate PKCS12 file named “webauth-guest.pfx“. Here is the command syntax if you are doing this through a linux host.
openssl pkcs7 -print_certs -in webauth-guest.p7b -out webauth-guest.cer openssl pkcs12 -export -in webauth-guest.cer -inkey 5760-1111key.pem -out webauth-guest.pfx
Here how I did this through OpenSSL application. You have to use the same password that you used to generate the CSR.Once the PKCS12 format certificate is available you can install it on your 5760 using IOS commands. First you can copy cert to your 5760 flash & then install it.
5760-1#copy tftp://x.x.13.20/webauth-guest.pfx flash: Destination filename [webauth-guest.pfx]? Accessing tftp://x.x.13.20/webauth-guest.pfx... Loading webauth-guest.pfx from x.x.13.20 (via Vlan1600): ! [OK - 6477 bytes] 6477 bytes copied in 0.080 secs (80963 bytes/sec) 5760-1(config)#crypto pki import ? WORD Trustpoint label to associate certificate or pkcs-12 file with 5760-1(config)#crypto pki import webauth-cert pkcs12 flash:webauth-guest.pfx password Cisco123 % Importing pkcs12... Source filename [webauth-guest.pfx]? Reading file from flash:webauth-guest.pfx% The CA cert is not self-signed. % Do you also want to create trustpoints for CAs higher in % the hierarchy? [yes/no]: yes CRYPTO_PKI: Imported PKCS12 file successfully.
Now your 5760 is equipped with WebAuth Cert 🙂 You can verify your cert configuration on your 5760 using “show archive config diff ” prior to do a write mem. Also you can use “show crypto ca certificate verb” as well.
5760-1#show archive config differences nvram:startup-config system:running-config !Contextual Config Diffs: +crypto pki trustpoint webauth-cert +revocation-check crl +rsakeypair webauth-cert +crypto pki trustpoint webauth-cert-rrr1 +revocation-check crl +crypto pki trustpoint webauth-cert-rrr2 +revocation-check crl +crypto pki certificate chain webauth-cert . . 5760-1#show crypto ca certificate verb Certificate Status: Available Version: 3 . . . Associated Trustpoints: webauth-cert Key Label: webauth-cert
So your guest users won’t see something like below when they enter their credential in Guest Portal
Here are some related Cisco Documents which may be useful as well
1. Converged Access Wireless LAN Controllers Third-Party Certificate Installation (Doc 117197)
2. 5760 IOS-XE Release 3E-Configuring Guest Wireless
3. Generate CSR for 3rd Party Cert & install it on WLC (Doc 70584)
Special Thanks to my colleague Gareth for helping me to understand a little bit about these certificates.
1. Guest Anchoring in Converged Access
2. Web Auth in Converged Access
3. Configuring EAP-TLS on a WLC
Dave David said:
Do you happen to install certificates for Web-Auth on latest WLC v7.6?
It seems that when uploading certificates (even the working certificates on previous version of WLC v7.5 and below) will fail on WLC v7.6
TFTP Webauth cert transfer starting.
TFTP receive complete… Installing Certificate.
Error installing certificate.
I’m using the Cisco recommended openssl 0.9.8 when I create the CSR.
I haven’t done this on v7.6 as Guest Anchor WLC already had WebAuth cert installed.
I have a test 5508 & I can give it a try & see. What is the exact version of 7.6 you referring to.
Dave David said:
This code does not have a good credibility & even Cisco encourage customers to stay away from it 🙂
Try with 220.127.116.11(MR3), should be released soon.
I’ll give it a try on that version as well.
I am struggling with 7.6.120 by reloading WLC”s every AM and TAC gave me .130 beta…but decided to wait for general release.
I skipped cert install by disabling https for guest traffic.
BTW…I use passthrough so guests only need to accept the AUP so I guess disabling https is fine in my case.
Thanks for this post. I found a small correction that may be specific to our version: 03.03.03SE RELEASE SOFTWARE (fc2).
After copying the .pfx file to the wlc, you have the command:
crypto pki import webauth-cert pkcs12 flash:webauth-guest.pfx password Cisco123
I found that “password” should not be included, rather the password should simply follow the certificate path:
crypto pki import webauth-cert pkcs12 flash:webauth-guest.pfx Cisco123
I have used 3.6E version & looks like syntax is little different between these two codes.
Looks like 18.104.22.168 code has this with the web auth certificate. I was not able to install it via GUI or CLI. Downgraded to the 7.4.121 Cisco Assured version and it worked without any issues.
So according to Cisco TAC there isn’t any issue with 7.6.130. Curious why multiple people are having this issue then.
I believe 5760 (IOS-XE based architecture) is capable of generating CSR request, I was able to walkthrough the procedure mentioned in url “http://www.cisco.com/c/en/us/support/docs/interfaces-modules/catalyst-6500-series-ssl-services-module/63456-sslm-csr.html”
Step 3 of the above link talks about generating CSR.
Just want to share these comments so that we have more understanding of this product from Cisco.
Can SSL cert installed on one WLC be installed on another ?