PART 16 - AirOS - WEBADMIN CERTIFICATE FOR WLC SSO HIGH AVALIBILITY

WEBADMIN CERTIFICATE FOR WLC SSO HIGH AVALIBILITY

 

This Document for Secure connection for Wireless Controller access via certificate based authentication SSL

We have two Cisco 5520 Wireless Controllers configured as an HA –SSO pair. We use management interface, which is used to access the web GUI for administration, to have an entry in DNS and a certificate that you can use to validate the identity of the controller to which you are connecting. Furthermore, each redundancy-management interface can have a DNS entry of its own and be used to access each physical appliance via SSH, or monitored by some network monitoring solution.

Pre-requisite

·        Software - Openssl 

·        Enterprise CA server

·        DNS entry for WLC

STEP 1: DNS ENTRY

·        DNS.1 = device.abcd.local    10.176.56.32

·        DNS.2 = *.abcd.local   

·        IP.3 = 10.176.56.32

 

STEP 2: Generate a Private Key and CSR

We use openssl to create CSR below information require to fill.

Be prepared to answer to the following:

·        Country Name : 

·        State or Province Name:

·        Locality Name :

·        Organization Name :

·        Organizational Unit Name:

·        Common Name:

·        Email Address:

 

STEP 3: Prepare Certificate Chain

The CSR is submitted to a CA for signing and you should receive in return your requested signed identity certificate for your controller along with an intermediate and root certificate for the CA.

Chain file extension .p7b and we need to convert it to .pem extension

STEP 4: Install Certificate Chain 

1.    Upload certificate on ACTIVE Wireless Controller first. This WLC would be one, which is being accessed by default on the management interface. Certificate will be pushed to the ACTIVE WLC first and ask for the reboot.

2.    OPTION

A.    Reboot ACTIVE CONTROLLER

B.    Command “redundancy force-switchover” so that ACTIVE CONTROLLER reload and handoff control to HOT STANDBY will become ACTIVE.

3.     When ACTIVE Wireless Controller  is back through the ping let it settle down, then Verify the HA once and  check the “webAuth” certificate via CLI command 'Show certificate webauth' on both Controllers

CURRENT WEBADMIN CERT

1.    Now ACTIVE would be the one that was HOT STANDBY, this would still have the OLD CERTFICATE. Upload the certificate on to this one and reboot/ redundancy force-switchover.

2.    After this Controller comes back it becomes HOT STANDBY, exactly the role it had before starting this exercise.

3.    Once again verify the certificate on both controller using show certificate webadmin command