Search This Blog

Tuesday, 30 October 2012

Cisco WLC keeping web auth persistent

How would you keep client’s web authentication persistent even after client gets disconnected or de authenticated?

Device: Cisco WLC 5508

Code: 7.0.116.0

Recently after setting up the Wireless Network and Web Authentication Redirect option on a Cisco Wireless LANcontroller – 5508 I had an issue where after approximately an hour mobile clients specially mobile phones would disconnect and they would have to go through the Web Authentication Redirect page again and again. This was very annoying. Basically on Cisco WLC 5508 webauth devices timeout and they would have to re authenticate.
After doing lots of research and trying to change the time out settings under User Idle Timeout, ARP timeout, Session timeout nothing worked. Finally after working with Cisco TAC and doing a debug on the client “debugclient mac-id. I noticed that after an hour WLC sends the new EAP key to the client. 


Updated broadcast key sent to mobile 00:23:76:D5:68:61
Cisco WLC 5508 tries this 3 times and after the 3rd time it gives up and considers the client not active any more and sends a de authentication packet, next Cisco WLC 5508 removes the client completely. Hence why when the clientcomes back they have to go through the Web Authentication Redirect Page again because key they have is old and is not valid any more.


Retransmit failure for EAPOL-Key M5 to mobile mac-id, retransmit count 3, mscb deauth count 0

Sent Deauthenticate to mobile on BSSID ap-mac-id slot 0(caller 1x_ptsm.c:534)

*apfReceiveTask: Jun 16 10:47:30.960: client-mac client-ip RUN (20) Deleted mobile LWAPP rule on AP [ap-mac]

Solution

Solution is to increase the broadcast key time interval. I used the following command to accomplish this. PS: This option was not available in the GUI with the code I am using so the only way for me to do it was via the Cisco WLC 5508 Command Line Interface, this applies globally to all the WLAN’s as of this code:
config advanced eap bcast-key-interval seconds (120 to 86400)

Wednesday, 19 September 2012

Installing a Web Authentication Certificate

This post details how to request and install a Web Authentication Certificate for the WLC.  I am going to use Go Daddy to purchase the SSL certificate, this is most likely a chained cert.

This guide shows how to do this with Windows 7. Most documents on the web are only for Windows XP/2000.

You need to download and install openssl 0.9.8.

http://www.ie7pro.com/openssl/openssl-dll-0.9.8g_x64.zip


First you need to generate the Cert Request.

by default, openssl.exe is located at C:\ > openssl > bin.




Issue this command: OpenSSL>req -config "C:\OpenSSL\bin\openssl.cfg" -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

 
 
Provide all information. The important fiels is the "Common Name". This will need to match up with the DNS name that resolves to the virtail IP address of the WLC. Make sure to note the password that you set.
 
After you provide all the required details, two files are generated:
  • a new private key that includes the name mykey.pem
  • a CSR that includes the name myreq.pem
Copy and paste the CSR information into any CA enrollment tool.

After you submit the CSR to the third-party CA, the third-party CA digitally signs the certificate and sends back the signed certificate chain through e-mail. In case of chained certificates, you receive the entire chain of certificates from the CA. If you only have one intermediate certificate in our example, you receive these three certificates from the CA:
  • Root certificate.pem
  • Intermediate certificate.pem
  • Device certificate.pem
Note: Make sure that the certificate is Apache compatible with SHA1 encryption.
Once you have all the three certificates, copy and paste into another file the contents of each .pem file in this order:
------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------
Save the file as All-certs.pem.


Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.
Issue these commands in the OpenSSL application in order to create the All-certs.pem and final.pem files:

openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:check123 -passout pass:check123
  
openssl>pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:check123 -passout pass:check123

Note: In this command, you must enter a password for the parameters -passin and -passout . The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. In this example, the password that is configured for both the -passin and -passout parameters is check123.
final.pem is the file that we need to download to the Wireless LAN Controller. The next step is to download this file to the WLC.

Download the Third-Party Certificate to the WLC using the CLI

Complete these steps in order to download the chained certificate to the WLC using the CLI:
  1. Move the final.pem file to the default directory on your TFTP server.
  2. In the CLI, issue these commands in order to change the download settings:
        >transfer download mode tftp
        >transfer download datatype webauthcert
        >transfer download serverip <TFTP server IP address>
        >transfer download path <absolute TFTP server path to the update file>
        >transfer download filename final.pem
    
  3. Enter the password for the .pem file so that the operating system can decrypt the SSL key and certificate.
    >transfer download certpassword password
    
    Note: Be sure that the value for certpassword is the same as the -passout parameter password that was set in step 4 of the Generate a CSR section. In this example, the certpassword must be check123.
  4. Issue the transfer download start command in order to view the updated settings. Then enter y at the prompt in order to confirm the current download settings and start the certificate and key download. Here is an example:
    (Cisco Controller) >transfer download start
     
    Mode............................................. TFTP
    Data Type........................................ Site Cert
    TFTP Server IP................................... 10.77.244.196
    TFTP Packet Timeout.............................. 6
    TFTP Max Retries................................. 10
    TFTP Path........................................./
    TFTP Filename.................................... final.pem
     
    This may take some time.
    Are you sure you want to start? (y/N) y
     
    TFTP EAP Dev cert transfer starting.
     
    Certificate installed.
                            Reboot the switch to use new certificate.
  5. Reboot the WLC in order for the changes to take effect.