In this post we will see how to install a WebAuth certificate on a 5760 controller. This will help to prevent Guest Users prompting with SSL error when they are trying to authenticate to a guest portal.
First task is to obtain a CSR (Certificate Signing Request) for the 5760. Since 5760 cannot do this by itself you have to use a software like OpenSSL. I have used Win64 OpenSSL v0.9.8za Light since my PC is 64bit version. ( You can refer Configuring EAP-TLS on a WLC post for a 32bit version working OpenSSL). Here is the screenshots of OpenSSL installation wizard.
Once the installation completed you can open a command prompt (All Programs -> Accessories ->Right Click on Command Prompt -> Run as Administrator). Then you can generate the CSR (5760-1111req.pem) with the PrivateKey(5760-1111key.pem) as shown below. You have to use FQDN as the name correspond to your 5760 virtual IP address
Once you do this you would see those two files in C->OpenSSL->bin folder. Then you can use CSR(in my case 5760-1111req.pem) to your Certificate Authority to generate a certificate. Once your request approved, you will get your digital certificates in different format. Here is what I got from CA.
Then I downloaded PKCS#7 Base64 encoded format of the certificate. Since 5760 Configuration guide documented installing certs inn PKCS12 format as shown below I have converted my cert in to that format.Here how you can convert it to PKCS12 format. I have renamed my downloaed cert from CA as “webauth-guest.p7b” & used that to generate PKCS12 file named “webauth-guest.pfx“. Here is the command syntax if you are doing this through a linux host.
openssl pkcs7 -print_certs -in webauth-guest.p7b -out webauth-guest.cer openssl pkcs12 -export -in webauth-guest.cer -inkey 5760-1111key.pem -out webauth-guest.pfx
Here how I did this through OpenSSL application. You have to use the same password that you used to generate the CSR.Once the PKCS12 format certificate is available you can install it on your 5760 using IOS commands. First you can copy cert to your 5760 flash & then install it.
5760-1#copy tftp://x.x.13.20/webauth-guest.pfx flash: Destination filename [webauth-guest.pfx]? Accessing tftp://x.x.13.20/webauth-guest.pfx... Loading webauth-guest.pfx from x.x.13.20 (via Vlan1600): ! [OK - 6477 bytes] 6477 bytes copied in 0.080 secs (80963 bytes/sec) 5760-1(config)#crypto pki import ? WORD Trustpoint label to associate certificate or pkcs-12 file with 5760-1(config)#crypto pki import webauth-cert pkcs12 flash:webauth-guest.pfx password Cisco123 % Importing pkcs12... Source filename [webauth-guest.pfx]? Reading file from flash:webauth-guest.pfx% The CA cert is not self-signed. % Do you also want to create trustpoints for CAs higher in % the hierarchy? [yes/no]: yes CRYPTO_PKI: Imported PKCS12 file successfully.
Now your 5760 is equipped with WebAuth Cert 🙂 You can verify your cert configuration on your 5760 using “show archive config diff ” prior to do a write mem. Also you can use “show crypto ca certificate verb” as well.
5760-1#show archive config differences nvram:startup-config system:running-config !Contextual Config Diffs: +crypto pki trustpoint webauth-cert +revocation-check crl +rsakeypair webauth-cert +crypto pki trustpoint webauth-cert-rrr1 +revocation-check crl +crypto pki trustpoint webauth-cert-rrr2 +revocation-check crl +crypto pki certificate chain webauth-cert . . 5760-1#show crypto ca certificate verb Certificate Status: Available Version: 3 . . . Associated Trustpoints: webauth-cert Key Label: webauth-cert
So your guest users won’t see something like below when they enter their credential in Guest Portal
Here are some related Cisco Documents which may be useful as well
1. Converged Access Wireless LAN Controllers Third-Party Certificate Installation (Doc 117197)
2. 5760 IOS-XE Release 3E-Configuring Guest Wireless
3. Generate CSR for 3rd Party Cert & install it on WLC (Doc 70584)
Special Thanks to my colleague Gareth for helping me to understand a little bit about these certificates.
1. Guest Anchoring in Converged Access
2. Web Auth in Converged Access
3. Configuring EAP-TLS on a WLC