Dec 12

How to avoid the certificate error with Cisco’s WLC internal Web Authentication

Have you ever visited a business and you were given a username and password for their guest wireless access, only to get an SSL Certificate error when it sends you to the authentication page? Is it safe or not?

On the Cisco wireless controller there is a layer 3 security feature called Web-Auth. When the authentication is set to Web-Auth the user attaches to an SSID, then when they open their web browser it forces them to a login screen. The user then has to enter a username and password. After authenticating the user is allowed to use the wireless network.

The default settings on the controller is to force the user to ( would be the virtual address on the controller). When this happens, the controller uses a self signed certificate and there for it gives the end users a certificate error.

I recently tried to import a public certificate to my Cisco 5508 controller (Version to avoid this error. After working with my coworker that manages the certificates, along with Cisco TAC, I found this to be a very difficult task. Every time I tried to import the certificate file it errored out. Later I found out from TAC that version 7.6 had a bug that didn’t allow a certificate to be imported. I was forced to downgrade to 7.4 to load the certificate. I did the downgrade, I didn’t lose my config as I expected. I imported the certificate on version 7.4. My APs are 3702s so they are not supported in version 7.4, I had to upgrade to 7.6 in order to test the certificate. After upgrading, I still got the error. We tried it again and it failed again. Each time we modified the certificate, downgrade, then upgrade. This process took a long time only to have it fail. I’m not sure what was wrong, but with our certificate guy and Cisco TAC, we couldn’t get it to work. The certificate error continued. We did indeed have an address on the virtual interface with a DNS Host name and the address was in DNS.

After some more research I found that I could change that authentication page from https to http. On the controller go to MANAGEMENT –> HTTP-HTTPS. The third item from the top is “WebAuth SecureWeb”, the options are enable or disable. Mine was set to enable so I changed it to disable. You then need to go to CONTROLLER –> INTERFACES –> VIRTUAL make sure the “DNS Hostname” field is empty. The IP address does not matter, is very common. If you change the virtual address you will need to reboot the controller.

After changing the WebAuth SecureWeb to disable and rebooting the controller your guests can access and enjoy an authentication screen without the SSL certificate error.

Does it matter that it’s not secure? For a guest that is getting a random or shared username/password, I don’t think so. What do you think?

Mar 18

What you really need to take advantage of Cisco’s CleanAir technology

For the past few years Cisco has been talking about their CleanAir technology. If you are not familiar with CleanAir, the CleanAir technology will detect wireless interference and some access points (AP) will change channels to get away from the interference. To read more about Cisco’s CleanAir technology click here.

I feel like the ability to view interferes is highly valuable, especially when the site you are supporting is somewhere else. I have sites that are many hours away and with the non-CleanAir APs, I simply guess at interference problems. In these sites, I randomly change the channels when I feel like the problem may be interference. For me, it was very exciting to receive some CleanAir APs and put them into my network.

After digging into the output that I can receive, I wasn’t very impressed, but I didn’t know what to expect either. On the controller, you are able to find the AP that you want, then look at the CleanAir information. It does give you a list of interferes in real time. It gives you a code of what the device is and gives you a few graphs. In the graphs, it will show you the Air Quality, Channel Utilization and Interference Power. All of this is very good information. As you can see in the image below, it also gives you some information on the interferes.

Cisco WLC 5508 CleanAir

Cisco WLC 5508 CleanAir

(Click on the image to view a larger image)

The controller will give you the real time information, but what about historical information? Prime Infrastructure should solve that problem. Prime Infrastructure (PI), used to be WCS, is the management system that manages the wireless controllers and access points. You are able to manage many controllers and access points from PI. PI is Cisco’s preferred way of managing your wireless infrastructure. PI has a section of canned reports ready to be run for CleanAir information. When I ran these reports, I never got any information, nothing was ever found. I figured this was due to a bug in PI, but never had the urgency to open a case on it.

The lack of CleanAir information in PI has nothing to do with a Bug in the software. PI is not the location to store the historical CleanAir information. This explains why PI would never have anything in the CleanAir reports. All of the historical information is stored in the Mobility Services Engine (MSE). Only after purchasing and connecting my MSE to PI, PI was able to provide information in these reports that I tried to run in the past.

If you want your network to automatically change channels to avoid wireless interference, you need an AP that fully supports CleanAir. Some APs like the 1600 series only report the clean air information, they don’t take any action. The 3600 series APs are supposed to automatically change channels to move away from the interference. You need to identify your needs and your budget to figure out what you should get.

If you want historical information, you need to purchase PI and the MSE. It was very disappointing for me to find out that PI is THE MANAGEMENT SYSTEM, but it doesn’t store historical CleanAir information. It runs on a server, can have plenty of disk space, is advertised as the way you should manage your wireless system, but it doesn’t display any useful CleanAir information by itself.

I do have to say that with the MSE connected to PI, there is some really good CleanAir information that can be gathered through PI. In this regard, Cisco did a good job.

Has anybody else run into this same disappointment as I have?
Any thoughts?

No need for an account to post a response, find the reply button below and leave one!!!