Dec 12

How to avoid the certificate error with Cisco’s WLC internal Web Authentication

Have you ever visited a business and you were given a username and password for their guest wireless access, only to get an SSL Certificate error when it sends you to the authentication page? Is it safe or not?

On the Cisco wireless controller there is a layer 3 security feature called Web-Auth. When the authentication is set to Web-Auth the user attaches to an SSID, then when they open their web browser it forces them to a login screen. The user then has to enter a username and password. After authenticating the user is allowed to use the wireless network.

The default settings on the controller is to force the user to https://1.1.1.1 (1.1.1.1 would be the virtual address on the controller). When this happens, the controller uses a self signed certificate and there for it gives the end users a certificate error.


I recently tried to import a public certificate to my Cisco 5508 controller (Version 7.6.130.0) to avoid this error. After working with my coworker that manages the certificates, along with Cisco TAC, I found this to be a very difficult task. Every time I tried to import the certificate file it errored out. Later I found out from TAC that version 7.6 had a bug that didn’t allow a certificate to be imported. I was forced to downgrade to 7.4 to load the certificate. I did the downgrade, I didn’t lose my config as I expected. I imported the certificate on version 7.4. My APs are 3702s so they are not supported in version 7.4, I had to upgrade to 7.6 in order to test the certificate. After upgrading, I still got the error. We tried it again and it failed again. Each time we modified the certificate, downgrade, then upgrade. This process took a long time only to have it fail. I’m not sure what was wrong, but with our certificate guy and Cisco TAC, we couldn’t get it to work. The certificate error continued. We did indeed have an address on the virtual interface with a DNS Host name and the address was in DNS.

After some more research I found that I could change that authentication page from https to http. On the controller go to MANAGEMENT –> HTTP-HTTPS. The third item from the top is “WebAuth SecureWeb”, the options are enable or disable. Mine was set to enable so I changed it to disable. You then need to go to CONTROLLER –> INTERFACES –> VIRTUAL make sure the “DNS Hostname” field is empty. The IP address does not matter, 1.1.1.1 is very common. If you change the virtual address you will need to reboot the controller.

After changing the WebAuth SecureWeb to disable and rebooting the controller your guests can access and enjoy an authentication screen without the SSL certificate error.

Does it matter that it’s not secure? For a guest that is getting a random or shared username/password, I don’t think so. What do you think?

Oct 14

How to install or assemble the Cisco AIR-AP-BRACKET-3?


If you are looking for a slick solution to mount your Cisco wireless access point (AP) on your drop ceiling you should look at the AIR-AP-BRACKET-3 bracket. This bracket is easy to use and the AP looks great in the ceiling.

There are 5 steps to this installation.
1. Remove and cut the ceiling tile. Use the outside of the AP to size your hole.

Ceiling tile after the hole has been cut for the AP.

Ceiling tile after the hole has been cut for the AP.


2. Attach the ring around the AP. There is a groove in the AP for the ring to snap into place. The pictured AP is a 3702.
Cisco 3702 Top view with the ring on it.

Cisco 3702 Top view with the ring on it.

Cisco 3702 Bottom view with the ring on it.

Cisco 3702 Bottom view with the ring on it.

3. Place the AP on a flat surface face down, then place the ceiling tile (With the hole cut out) over the AP with the nice surface facing down.

Cisco 3702 in ceiling tile

Cisco 3702 in ceiling tile


4. Lay the long piece over the AP, then slide the outer bracket onto the AP. The bracket should slide into place. Then install and tighten the screw in the center of the bracket. This squeezes the AP into place on the tile. The long piece has small pieces that look like they can be pushed into the tile to prevent it from moving. I didn’t find a need for this because the one screw holding that piece into the AP held everything into place.
Cisco 3702 with AIR-AP-BRACKET-3

Cisco 3702 with AIR-AP-BRACKET-3


5. Hang up your tile and connect the AP to the network.
Cisco 3702 in a drop ceiling tile using the AIR-AP-BRACKET-3

Cisco 3702 in a drop ceiling tile using the AIR-AP-BRACKET-3

I hope this helps you keep your office area beautiful.
How has your experiences been with the AIR-AP-BRACKET-3?