Cisco guest wireless network

Recently I was asked to setup a guest wireless network for customers to join free wifi. We use Cisco Prime Infrastructure, Cisco WLC’s and Cisco access points.

This WLAN didn’t need any authentication but required terms and conditions page and to either accept or reject the terms and be redirected to the company webpage. The Cisco WLC has a default web pass-through page where you can amend the content however it is very limited particularly in regards to the character count.

We explored the option of a customized web page, downloaded the HTML template from the Cisco website and amended the files to cater for the required company’s terms and conditions.

The terms and conditions specified a 60 minute timeout and to enforce this, under the WLAN Advanced settings we found that we could enable and specify a client timeout.

We found that Apple devices such as the iPad and iPhone were not able to connect to the ‘Open’ guest wireless however, devices such as laptops on Windows 7 could connect fine. We found that by disabling mDNS snooping under the advanced tab of the WLAN, Apple devices were then able to connect with session timeout parameter configured (some sources say to disable client timeout for Apple devices to be able to connect).

I also found that the iPhone was unable to quickly switch between multiple WLAN networks. I had done some reading on the ‘Fast SSID’ setting under the Controller settings. By enabling Fast SSID, the iPhone was able to switch between multiple SSIDs without any issues. Prior to enabling Fast SSID, I was getting error messages regarding not being able to connect to the network.

In order for the web pass-through feature to work direct to a https webpage a 3rd party SSL certificate must be purchased. I used the following webpage to generate the CSR.

http://www.my80211.com/cisco-wlc-cli-commands/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

I found that when the 3rd party certificate was purchased, I was only sent 2 certificates. I must stress the importance of having 3 certificates and placing them in the required order. The certificate I was missing was the Root certificate which I exported from a laptop under the Trusted certificates in the certificate store.

After following the steps in the above link, I proceeded to download the certificate to the Controller. On my client I was using TFTPd32 however, I believe I came across the following Cisco bug

https://tools.cisco.com/quickview/bug/CSCtd59186

I used another TFTP program and while the file actually downloaded to the controller, the certificate did not install correctly.

I then came across stewart.lear’s post in the attached webpage regarding the format of the certificate.

https://supportforums.cisco.com/discussion/10890871/generating-csr-wlc-5508

The post says:

“Thank you for your advice.

I have done some playing around and have found the solution to my problem, hopefully it will help the others as well.

The issue seems to be the format of the final PEM file being uploaded.

The controller seems to be expecting a file in the following format..

—–BEGIN CERTIFICATE—–

Device cert

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

Intermediate cert

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

Root Cert

—–END CERTIFICATE—–

—–BEGIN RSA PRIVATE KEY—–

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,

—–END RSA PRIVATE KEY—–

But the version of OpenSSL I was using ended up in this format….

Bag Attributes

—–BEGIN CERTIFICATE—–

Device Cert

—–END CERTIFICATE—–

Bag Attributes:

—–BEGIN CERTIFICATE—–

Intermediate Cert

—–END CERTIFICATE—–

Bag Attributes:

—–BEGIN CERTIFICATE—–

Root Cert

—–END CERTIFICATE—–

Bag Attributes

—–BEGIN ENCRYPTED PRIVATE KEY—–

Private key

—–END ENCRYPTED PRIVATE KEY—–

So using the command OpenSSL>rsa -in mykey.pem -des3 -out keyout.pem

I encrypted the private key using Triple DES, it prompted for a passphrase.

I did not then run the pkcs12 commands, but combined the certs and key myself.

Creating a new file in notepad I pasted the X509 certs from Thawte, followed by the contents of

keyout.pem in the format..

—–BEGIN CERTIFICATE—–

Device cert

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

Intermediate cert

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

Root Cert

—–END CERTIFICATE—–

—–BEGIN RSA PRIVATE KEY—–

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,

—–END RSA PRIVATE KEY—–

I saved the file as final.pem

Setting the certpassword parameter as the pass phrase used in the DES3 encryption.

The upload then worked as expected.

I’m guessing the issue is down to a different version of OpenSSL being used.

Hopefully this will work for others as well.”

I followed the above steps on the CLI of the WLC as I found I was getting more feedback. I had the following debug command turned on: debug pm pki enable. Then my 3rd certificate installed successfully.

I would also like to note that you do not need to set a password when generating the CSR. Many sources said you would have to set a password when generating the CSR. I had only read this after we had purchased the SSL certificate.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s