Cisco WLC Captive Portal Certificate Setup

  • Updated

Introduction

This guide is designed to assist administrators and users in troubleshooting a common issue experienced when using a Cisco WLC for guest or corporate access on Windows and desktop devices. This issue manifests as an unexpected redirection or security warning during the initial connection process.

The Issue

Users connecting to the network (e.g., via a guest portal or web authentication) may successfully obtain an IP address but are then redirected to a URL using HTTP, such as http://192.168.0.2/login.html.

Because modern desktop browsers are increasingly strict about security, they anticipate an HTTPS connection for login portals. When they encounter the unsecured HTTP link, the user is presented with a security warning (e.g., "Your connection is not private," or a similar message) and must manually click an option like "Continue anyway" or "Send anyway" to proceed to the login page.

While the connection does work, this warning creates a poor user experience and can lead users to believe the network is insecure.

Recommended Solution

The recommended solution is to properly secure the web authentication process by implementing an authentic, publicly trusted SSL/TLS certificate on the Cisco WLC. This ensures the connection uses HTTPS from the start, satisfying browser security requirements.

Details - Cisco Catalyst 9800 Series

The following steps detail the process for installing a public certificate and configuring the secure web portal on a Cisco Catalyst 9800 Series WLC.

  1. Upload the PKCS12 Certificate:
    • Navigate to Configuration > Security > PKI Management.
    • Click the Add Certificate tab.
    • Expand the PKCS12 Certificate menu.
    • Enter the Certificate Password (if a password used when the PKCS12 file was generated).
    • Select and Import your PKCS12 certificate file.
    • Verify the certificate is listed under the Key Pair Generation tab.
  2. Assign the Certificate to the Management Interface:
    • Go to Administration > Management > HTTP/HTTPS/Netconf.
    • In the HTTP/HTTPS configuration section, select the newly imported certificate (its Trustpoint name) from the Trust Points drop-down list.
    • Click Save.
  3. Configure Secure Web Authentication:
    • Navigate to Configuration > Security > Web Auth.
    • Select the global parameter map (or your custom map).
    • Select the imported Trustpoint from the Trustpoint drop-down list.
    • Crucially: Ensure that the Virtual IPv4 Hostname matches the Common Name (CN) specified in the SSL certificate.
    • Click Update & Apply to save the changes.
  4. Reboot the Controller:
    • For the new SSL certificate to fully take effect, you must reboot the Cisco Catalyst 9800 controller.

Details - Cisco WLC (AireOS)

The following steps detail the process for installing a public certificate and configuring the secure web portal on a Cisco AireOS WLC.

  1. Establish a Virtual Hostname: Define a dedicated virtual hostname (e.g., wifi-login.yourcompany.com) on the WLC.
  2. Purchase and Install a Public SSL Certificate: Acquire a commercially valid SSL/TLS certificate for the chosen hostname from a trusted Certificate Authority (CA). Install this certificate on the controller.
  3. Enable Secure Webauth: Configure the WLC to use Secure Web Authentication (Secure Webauth).

Once these steps are complete, the authentication process will correctly use https://, eliminating the security warning and the need for users to click "Continue anyway."

Conclusion

Addressing the HTTP to HTTPS redirect issue is vital for providing a seamless and professional network access experience. By implementing a valid, publicly trusted SSL certificate and configuring Secure Webauth on your Cisco WLC, you eliminate frustrating security warnings, ensuring a smooth access journey for all.

 

Share online:
Was this article helpful?
0 out of 0 found this helpful