Certificate on controller anchor comments number

Hi all

We have an anchor inside a demilitarized zone controller. The GW standart for customers is the virtual interface (in this case 1.1.1.1). because it's a site https clients must accept the certificate manually (we all know this problem..).

I work with the internal DHCP scope and also give them Internet DNS servers.

no idea how to get this installed certificate? I read that the IP virtual (1.1.1.1) got to have a DNS entry (in this case Internet DNS). It's bad enough, as we have several anchors in several countries, all work with 1.1.1.1. And also, this virtual IP address that is accessible from the internet to perform a DNS lookup?

Would be great if someone has an idea or already has some experiences.

TIA

Thom

Thom,

The Virtual Interface needs an IP address is because a certificate cannot be issued to an IP address, it is granted FULL domain name. I have a client who is international where I set it up and I had to get their external DNS host (since they don't have a DNS server in the DMZ) to add a host for each of the controllers entry.  for example: WiSM1a.someplace.com has been reported to 1.1.1.1, WiSM1b.someplace.com pointed to 1.1.1.1, etc... you get the general idea. Then, you must take the device real certificate and the certificate of the intermediate range and combine them in a package of certificate required of the WLC.  This problem is much easier to solve if you have a DNS server in your DMZ that you control.

I hope this helps... Please evaluate the useful messages.

Thank you

Kayle

Tags: Cisco Wireless

Similar Questions

  • AP groups with anchor comments

    Hello

    I need to use groups of AP for guest ssid and this is a scenario of controller of anchorage. Is it possible to configure an ssid for comments and this ssid is put in different groups of ap in different VLANS on the controller local and anchored on the anchor comments controller? How can I configure this anchor? Can I put different corresponding interfaces on the anchor wlc and make several for different groups of ap dhcp scopes?

    concerning

    Joe

    Joe,

    Currently, you cannot base the anchor on the AP group.  It is based only on the SSID.

    Now, do you really need to split the guest in different subnets?  Or are you concerned about groups of AP?

    If you really want to break the prompt to different subnets, then you will need to create a different SSID on the inside and controller of anchorage.  Anchor, then link to the appropriate interface.

    If you are concerned about the AP group, don't be.  Everything simply because you use the AP group, doesn't mean that all the ssid of comments cannot bind to the same interface, they can.  You can even create a dummy interface on the internal WLC, so that if the anchor does not work, they do not have an address.

    See you soon,.
    Steve

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • I get a 'Secure connection' error failed with google stating "certificate contains the same serial number.

    When I click on a link to a google search, I get the "Secure connection" error failed in Firefox. He says, "please contact the administrator of the server or email correspondent and give them the following information: your certificate contains the same serial number for another certificate issued by the certification authority."

    I followed the instructions here:
    https://support.Mozilla.org/en-us/KB/certificate%20contains%20The%20Same%20serial%20number%20As%20another%20certificate
    and looked at this article:
    https://support.Mozilla.org/en-us/questions/1028103?ESAB=a & As = AAQ

    I uninstalled and reinstalled Firefox, deleted the entire folder profiles and reset Firefox. I see that the older (orphans) article points to my router. However, I have a new router and have updated their software. There is no button to add an exception (as stated in the article), so I can't just work around it. This problem does not occur with IE, so I have a hard time to believe that it is my router.

    How to solve this problem? I really want to change browser.

    Finally, I tracked the issue. The answer was found here:
    https://support.Mozilla.org/en-us/questions/1028985

    It turns out that Avast has a web shield that passes through its own verification of certificate https. Of course, this feature is not quite right and loses track of the certificates. Disable "https scanning" in the settings of Avast resolved the problem.

  • Color Laser jet 4600dn DC Controller Board part number

    Dear friends,

    Can someone explain this controller DC RG5-6438 Board is compatible to use the 4600dn printer please?

    (The existing part of the controller DC number Council is RG5-6391)

    See you soon,.

    Sylvain

    As far as I can see this part is used in the printer color laserjet 5500 which is a different printer.

  • WLC controller anchor Cisco HA

    Team - we're going for a refresh of the WLC anchor. Current is 4402 which is used only for the guest user connections, there is no recorded on this AP. We would replace it with 5508 but this time in HA.

    Q. you really go for AIR-CT5508-HA-K9.  Cant we buy only 2 amount of AIR-CT5508-12-K9.  

    Please notify.

    Thank you

    It does not work with zero licenses, but it can work temporary with the evaluation license. So if you order two C1 5508 s you must have at least one license of AP to make it work with HA - SSO in a permanent installation.

    Please rate helpful messages... :-)

  • WCS for comments lobbyadmin - anchor controllers only?

    Hi all

    I implement four controllers to anchor comments for different regions and I would like to have a platfrom WCS to manage all and therefore make the lobbyadmin a global feature, i.e. when an account is created for a region, it is also created for other regions where this person moves in another location and therefore their credentials are still valid.

    I have to just manage comments with WCS anchor controllers or will I need to add all the remote controls and more?

    See you soon

    Rob.

    Your accounts of live commentary on the controllers of the anchor. WCS and anchors...

  • Certificates and Unified Wireless

    Hi people,

    I am currently deploy a unified wireless network and that you have run into a bit of a problem with certificates - unfortunately they aren't my specialist subject!

    We will deploy two wireless networks (comments and Corp comments) will be tunnel to a dedicated WLC and Corp. will REAP: break-out to the local network with authentication PEAP against AD (via Cisco ACS).  We will have 7 WLCs (including anchor comments) that will be managed by the WCS.

    The problems I face with certificates, it's that I don't know how and where to place them - it is my understanding:

    cert 1 x GBA for AD authentication

    1 cert of x on the WCS for the connection of the Web page (to stop the alert cert)

    1 x mobility anchor cert (to stop the alert cert for guest access)

    I guess that since the other WLC will not be recorded on they do not need a cert that everything will be done through WCS and comments "web-auth" page is served rather than the WLC mobility anchor central 6?

    Ideally, we don't want warnings cert to appear as that will generate the number of calls from users, only for us to tell them "just click ok and it'll be fine"

    I'm trying to know if we have a certification authority internal, can I use to get certificates for the WCS and ACS that will sort the internal clients, then an 'external' for guests cert.

    Worst case, we would need to get the 'external' certs for all three, but I'm confused as to how it works as our internal domain is a 'private' name [example.private] rather than a public .com [example.com]

    Any guideance you can give to would be great!

    Thanks in advance

    KeV

    Well, if you have a domestic certification authority and it is in the store root approved devices, you won't this certificate error message.  If you go with a 3rd party certificate, then you can go the road that you have:

    cert 1 x GBA for AD authentication

    1 cert of x on the WCS for the connection of the Web page (to stop the alert cert)

    1 x mobility anchor cert (to stop the alert cert for guest access)

    Or if you want less of certificates, you can do this:

    1 cert x the GBA for AD authentication and mobility anchor (to stop the alert cert for guest access)

    1 cert of x on the WCS for the connection of the Web page (to stop the alert cert)

    Just use a name CN which is general... like wifi.private or something like that.

    Scott

  • Access Internet comments

    Hello

    Looking to pronounce on the subject of comment Vlan.

    How can I avoid traffic guess DATA VLAN, VLAN routing all traffic to VLAN comments should be sent directly to the Internet.

    You are looking for a similar mounting as Hotels, Guest are provided with name of user and password with internet access time and limit the download speed.

    Do I have to create a different SSID on the WLC and how guest users will acquire intellectual property, WLC DHCP or DHCP Windows.

    If its Windows DHCP traffic may comment reached my VLAN database

    Any help

    We got WLC 4420 - hear - you a 4402-xx

    Series AP 1200 (quantity 5)

    I'm new to WLC, can you help me understand

    • SSID how we can configure on WLC, each ssid can have different config settings.

    The AP and the Code you have supports only 8-16.  You do not want to configure too (it's about 4) because of all the tags that must be sent could cause problems with some devices.  You can configure ssid reproduced the same thing different, it is up to you.  Follow best practices on it.

    • can disseminate us the specific SSID access point configured with WLC (AP #1 can be used for the DATA & SSID SSID) (AP #2 may be partners comments & SSID SSID)

    You can create WLAN substitute (according to code - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml) to specify what AP will be braodcast of this SSID.  This can be annoying if you have gaps for roaming, unless it's not a question.

    • For the SSID is recommended to connect to a port seprate WLC

    You have different options:

    • You can use a controller of comments you anchor DMZ
    • You can use a port on the WLC connected to your internal network and the other port of the DMZ
    • You can trunk VLANS and use ACL to ban all traffic inside networks comments.

    It all depends on you the existing infrastructure and if you are planning to buy more material, or use the existing.

    • Instead of create users invited to WLC with time restriction, is third possible with ease of management. (Secretary of the Board can give internet access to the comments)

    You can use a comment of the NAC server... If you want to spend a lot of money.  You can configure an Admin of Lobby on the WLC account so that the Secretary has only read/write to add guest accounts.  It would be the same if you have a Toilet with a Hall administrator account.

    http://www.Cisco.com/en/us/docs/wireless/WCS/4.2/configuration/guide/wcsmanag.html#wp1078208

    • How to have control over the bandwidth on WLC, restrict users to the bandwidth limit

    You must use a third-party tool 3 for this as ZoneCD Alternatively, you can use the comment of the NAC server.

    http://www.Cisco.com/en/us/solutions/collateral/ns340/ns394/ns348/ns787/data_sheet_c78-456124.html

    .

    http://www.google.com/url?q=http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/DeployingGuestAccess_051308.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=2&ved=0CAkQzgQoAQ&usg=AFQjCNGKgF_wWKQaI8lqHoFfwbg0iztVFg

    Any link example configuration with an Internet connection with DATA and comments VLAN using the ACL to restrict traffic.

    I put a few links above... hope this helps.  Yet once, it will come down to your existing environment and how much you want to spend.  It should also look at the point where he could take the facility, will be the Secretary want to do that, etc.?  How I see the access as a guest... Well... they come out a separate sheath of the internet, so I don't really care about bandwidth.  Its guests so that they would have to deal with than nowhere go, the same hotspost or even worse hotels :)  Keep it simple and make it work... then you can add that later when you get more familiar with the configuration and troubleshooting.

  • Only 24 controller in a group of mobility?

    I want to create a controller of the anchor who has a leg dot1q in our DMZ, then do foreigners contorllers for the rest of my company that would be 34 controllers in different geographic locations.  The problem I see, is that I can only add 24 members mobility to the group in order to create the counterpart of mobility as indicated in this document.

    http://www.Cisco.com/en/us/docs/wireless/controller/4.0/Configuration/Guide/c40mobil.html

    What do people for mobility with more than 24 controllers anchors?  I use a mixture of 6.0.182.0 and 4.2.112.0

    Tim,

    Yes, you can enter only 24 static entries, so if you have any comments redundant anchors, so you will need to get two more and split up the load between a pair of anchors comments.

  • Bad certificate - what I do

    I get secure it connection failed for www.google.com. Your certificate contains the same serial number for another certificate issued by the certification authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial).
    I checked the certificate and it indicates that the certificate cannot be verified because the date has passed. It is dated 14/03/2014. However, all of the certificates under this "UserTrust" network have the same expiry date; for example Yahoo and it still works.
    I removed it after a former Mozilla doc, tried it again the same message. CERT verification. Bishop showed the same CERT moved from "Servers" to "others". Note that each of them under the USERTRUST say that this CERT. could not be verified because they are not reliable. After several checking all certificates. in the certificate under "servers" Manager are not reliable! I ran MalwareBytes and do not believe it is a malicious software due to the fact, I can run Chrome and it works fine. I could just delete all certificates. in the UserTrust network? Or all of them? Would be Firefox or Google rebuild the cert. I need properly?

    It sounds as if you do not get the 'real' certificate of Google...

    You connect through a proxy server?

    Do you use ESET security software? His scan of your SSL connections function has been associated with this particular error code in the past. You want to try disabling SSL scanning in ESET and see if that solves it: http://kb.eset.com/esetkb/index?page=content & id = SOLN3126 if this works, there could be a problem of ESET certificates in duplicate in the Firefox certificate store. It should be fixable.

  • HP15-ac042tu: Ethernet controller and PCI Simple controller drivers required

    Installed the Ethernet and PCI Simple Communications Controller controller a certain number of times, but the error message in the device rest Manager again. Could someone please help me with the correct links for drivers for my laptop HP15-ac042tu.

    Hello:

    I'm glad you have the ethernet driver.

    You need the driver for the wireless card that your laptop is.

    http://h20564.www2.HP.com/hpsc/SWD/public/detail?sp4ts.Oid=6943827 & swItemId = ob_145419_1 & swEnvOid = 4058

    You will also need this bluetooth driver...

    http://h20564.www2.HP.com/hpsc/SWD/public/detail?swItemId=ob_149898_1

  • OfficeJet Pro 8500 A910 - security certificate problem

    When I try to access certain areas on my 8500 has requiring secure access, I get the following error:

    "You have received an invalid certificate.  Please contact the server administrator or email correspondent and give them the following information:

    Your certificate contains the same serial number for another certificate issued by the certification authority.  Please get a new certificate containing a unique serial number.

    " (Error code: sec_error_reused_issuer_and_serial)"

    How can I fix it?

    I called HP earlier this evening (25 Oct).  The man who answered was nice and helpful but had never seen the problem.  On his advice, I did a reset of the Internet Explorer options and I could pass by ignoring the problem error/warning on this certificate and change my settings.  However, I still had the annoying certificate warning message in the face all the time.

    For Firefox, I followed the instructions on the link below and has been granted access (without the annoying message after accepting the "defective" certificate).  It's a good permanent solution.  The same must be doable for IE...

    http://support.Mozilla.com/en-us/KB/certificate%20contains%20The%20Same%20serial%20number%20As%20another%20certificate

  • SSID anchored

    Hello

    We have a couple of corporate Wireless LAN Controller (WLC 5508). They are used for corporate purposes. Now, we have added an anchor (WLC 2504) controller located in the demilitarized zone to offer access as a guest. We threw the anchor two SSID. The first is completely free with only internet access. It works very well. But we have a problem with the second SSID.

    The other requires authentication. This authentication must be made through RADIUS. We don't have work and finally, we understood why. The authentication process is done by the controller from abroad. We have confirmed that this network as a point of capture. Foreign controllers do not know how to get to the Radius server. And we want to anchor the controller to be one who makes authentication. His IP address is the IP address that is accepted on the Radius server.

    In all of literature, we read that it is said that authentication is always via the controller to default anchor. For example:

    In an anchor - WLC foreign scenario, which WLC sends RADIUS account management?

    In this scenario, authentication is always made by the WLC anchor. Therefore, RADIUS account management is sent by the WLC anchor.

    -RADIUS server: in the WLAN security > AAA Servers tab, you controller anchor can set specific RADIUS servers to use, that your foreign controller does not care. Authentication is performed on the anchor, not on Foreign Affairs, you can call the RADIUS servers on the anchor and not on Foreign Affairs, no problem. It can also be a difference.

    This is not the case in this way on our scenario. We have:

    • Layer Security 2 management of 'WPA + WPA2' keys and authentication set to the value "802.1 x."
    • Set us the RADIUS AAA Servers tab.
    • We took the version of the 8.0.132.0 software.

    So we would like to know if any other configuration is needed to get the anchor being the source of the authentication process.

    I thank very you much in advance!

    Josu,

    This is where your needs must be defined?  Encryption of the client to the access point is done only when you use the layer 2 encryption.  So that being said, the RADIUS is also done on the foreign controller to layer 2.  Therefore, decide what is the best solution for you. When I hear about erase the text when you anchor, I ask if encryption is required.  Generally, you anchor a SSID to a controller of the DMZ to access internet only so do you really care?

    -Scott

    Please rare useful messages *.

  • Create safer self-signed certificates on IOS router?

    I use a router in 1921 and use partially as an AnyConnect (WebVPN) server for remote access in the location.  The certificate I used was a self-signed certificate & trustpoint generated on the router.  I am running as the last IOS available track to ensure that it has all the latest features.

    Do a quick check of SSL against her of Qualys, he seems to have a lot of weaknesses and known vulnerabilities.

    * Poodle TLS

    * TLS 1.0 only

    * SHA1

    * Diffie-Hellman 1024 bits

    * Some algorithms of older encryption which seem to be available (but I've never specified), as TLS RC4_128_MD5

    The encryption mechanism and controls to create the cert don't give me much choice in the matter.

    Is there a new or better way to create a more secure certificate chain on an IOS router?  I couldn't find the instructions anywhere.

    Robert

    Take a look at my guide to private networks virtual Suite-B.  It creates more secure certificates.  Note my comment about the minimum software version to use.

    https://www.IFM.NET.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-crypto.html

  • problem with the ios certificate server does not update the CRL

    Hi all

    The background is that I'm putting a DMVPN solution with tunnels ipsec between the rays created by using certificates.

    I use a cisco 877 as the CA server (its 12.4 (6) T5) running to provide certificates for the spoke routers. This part works very well - rays can apply for a certificate and get a number very well.

    The problem is CA, life of LCR is set to 24 hours, but the CA is not updated the LCR so when the rays see CRL (as defined in their trustpoint) they point to a mistake that the CRL is obsolete and does not connect.

    If making a ' #sh cryptographic pki server ' it lists a ' CRL NextUpdate timer. It has a timestamp that is 24 hours after the last certificate was revocked. The only way I can get the LCR to be rebuilt must revoke a certificate.

    So, my question is, am I missing something here? I thought that it would automatically generations a new CRL list file every 24 hours.

    Can anyone help?

    Thank you.

    Hey Marc (?)

    This seems to correspond to this bug:

    CSCsy95838    AC IOS: LCR of the not updated, update timer not started

    However, it does not mention if 12.4 (6) T5 is affected, only that it was found 12.4 (15) T3 and resolved to 12.4 (15) T10 and other more recent versions.

    I suggest trying the last 12.4 (15) Tx, 15.0 (1) Mx or 15.1 (4) Mx version if you can.

    I assumed that you have much of it, but just in case: as a workaround, you can disable CRL checking on all routers DMVPN, of course they will still allow connections from routers with a revoked RADIUS.

    As (temporary?) substitute for a Revocation list, you can use a 'certificate ACL' with which you can create kind of a 'local CRL Manual:

      crypto pki certificate map certACL 10    serial-number ne    serial-number ne    etc. 

      crypto pki trustpoint myTP
       match certificate certACL
    
    (note the "ne" stands for "not equal" so you are permitting any certificate whose serial number is not listed)
    Of course, you would have to configure (and maintain!) participating on each router in the DMVPN so it's heavy, but I guess if you revoke often certs, that it might be an option.
    HTH
    Herbert

    --

    If this post answered your question, please click the button of "right answer".

Maybe you are looking for

  • move a hard drive from MBP 2012 in a mac mini 2009

    Hello I bought a 500 GB ssd and I am cloning my macbookpro HD 500 gb on it at the moment. I plan to use my macbookpro HD to replace my 120 GB mac mini HD. I wonder if it could be possible to put the macbookpro HD in the mini without deleting its cont

  • What should I do my Inbox

    My Inbox messages are all mixed up. How to organize by date of receipt.

  • BIAS entry SoundSaver level does not work after upgrade to win 8 to 8.1

    Used BIAS SoundSaver INport software for digitizing music LPs and tapes to load up on the MP3 player.  Worked fine with Windows 8.  However, now that I've updated to 8.1 Win, I can get the soundtracks of vinyl and cassettes, but entry level which con

  • Automatic recovery loop

    Hello!So Ive got a hp 15-g029wm (generic af, I know) for over three years now and I'm finally getting hit with a question. I can turn the camera on, but after having done so, it says "Prepare the automatic repair", then after a black five minutes scr

  • Function keys on Qosmio G30

    Anyone know if there is a way to invoke the function keys of the keyboard from a connected external keyboard (for example, show FN + F5)? Thank you Phil