HermeszData
09-07-2011, 09:33 PM
Circumstances:
Low budget Hospitality facility providing Free Wi-Fi to guests with the requirement that guests agree to terms and conditions before granting access to internet usage.
Problem:
I need to get rid of the annoying Invalid Security Certificate Warning users receive when they connect to the logon page with the WLC configured for Web Authentication. Unfortunately, the WLC4136 (with the latest software release) DOES NOT support chained certificates and no one offers un-chained certificates as of May (or so I understand). I had purchased what was advertised as an Un-Chained SSL certificate – Thawte SSL 123 – but it came in as a Chained SSL Certificate and users receive the invalid warning because “the Root Authority could not be verified.” If I install the Intermediate Certificate on a computer that wishes to connect, I no longer get the warning when the browser initially opens (auto redirect to the login page, i.e., wifi.somedomain.com – a DNS entry for the sub-domain existswithin the domain’s structure) and everything works as it should.
If I disable https, the users receive the redirect, without the certificate warning, to the external URL for login but the authentication passes the login parameters back to the controller at the https URL.
Solutions ??? :
1. Upgrade hardware to that which supports Chained certificates – NOT AN OPTION due to budget constraints!
2. Make the Intermediate Certificate available on a thumb drive, obtainable from the front desk with installation instructions, so the guest may install it on their laptop. This, however, presents problems that makes this solution less than optimal:
a. Although cheap, I suspect the annual cost to thumb drives could be quite high due to the non-return of the original loaned device.
b. Most Front Desk personnel are not particularly tech savvy, nor do they have time to work with guests to resolve guest connectivity issues.
c. Increased Help Desk Load drives up support costs.
d. Many guests are using Corporate laptops and do not have the necessary ADMIN privileges to accomplish this.
e. Most computer users are as lost as a blind man in a snow storm when it comes to this type of issue (or any computer related issue for that matter)
f. Have users upgrade to the latest version of their favorite browser (I know FireFox, as an example has this particular Intermediate Certificate in the Certificate Store) but this cannot be done without internet access at the minimum.
g. Guests simply want to get on the internet and take care of what they need to do and not be bothered with the behind the scenes crap we deal with to make their stay satisfying.
3. Provide another method for guests to accept the Terms and Conditions:
a. Router based AAA/RADIUS authentication using the existing (albeit modified) login page, either hosted on the router or remotely.
b. OR ?????????????
Obviously, Options 1 and 2 are NOT viable options. I coded the current logon page using a Cisco provided template that works perfectly, with the exception of the Security Warning they receive when they initially open their web browser.
With all said above, how do I overcome the above issues. (I should note that the site does not have a Domain Controller or any server for that matter and neither does corporate. Therefore, any authenticate MUST be handled by the existing LOCAL hardware: router, switches, or WLC.)
Existing hardware:
· Cisco 2621 Max D/F and Latest available IOS
· Cisco 3524-PWR – Latest IOS – working as Distribution Switch in MDF
· Cisco 3650-24-POE – Access Point Switch in IDF with GB link to MDF Switch.
· 12 Cisco 1100 Series APs, all Wired POE connections between APs and 3560 Switch
Any suggestions? I need to resolve this quickly and my research has turned up nothing.
I know there are more than one way to skin a cat (not that I am trying to skin a cat … who but a sadist would want to?) so I am sure there is a workable solution for this complication.
Low budget Hospitality facility providing Free Wi-Fi to guests with the requirement that guests agree to terms and conditions before granting access to internet usage.
Problem:
I need to get rid of the annoying Invalid Security Certificate Warning users receive when they connect to the logon page with the WLC configured for Web Authentication. Unfortunately, the WLC4136 (with the latest software release) DOES NOT support chained certificates and no one offers un-chained certificates as of May (or so I understand). I had purchased what was advertised as an Un-Chained SSL certificate – Thawte SSL 123 – but it came in as a Chained SSL Certificate and users receive the invalid warning because “the Root Authority could not be verified.” If I install the Intermediate Certificate on a computer that wishes to connect, I no longer get the warning when the browser initially opens (auto redirect to the login page, i.e., wifi.somedomain.com – a DNS entry for the sub-domain existswithin the domain’s structure) and everything works as it should.
If I disable https, the users receive the redirect, without the certificate warning, to the external URL for login but the authentication passes the login parameters back to the controller at the https URL.
Solutions ??? :
1. Upgrade hardware to that which supports Chained certificates – NOT AN OPTION due to budget constraints!
2. Make the Intermediate Certificate available on a thumb drive, obtainable from the front desk with installation instructions, so the guest may install it on their laptop. This, however, presents problems that makes this solution less than optimal:
a. Although cheap, I suspect the annual cost to thumb drives could be quite high due to the non-return of the original loaned device.
b. Most Front Desk personnel are not particularly tech savvy, nor do they have time to work with guests to resolve guest connectivity issues.
c. Increased Help Desk Load drives up support costs.
d. Many guests are using Corporate laptops and do not have the necessary ADMIN privileges to accomplish this.
e. Most computer users are as lost as a blind man in a snow storm when it comes to this type of issue (or any computer related issue for that matter)
f. Have users upgrade to the latest version of their favorite browser (I know FireFox, as an example has this particular Intermediate Certificate in the Certificate Store) but this cannot be done without internet access at the minimum.
g. Guests simply want to get on the internet and take care of what they need to do and not be bothered with the behind the scenes crap we deal with to make their stay satisfying.
3. Provide another method for guests to accept the Terms and Conditions:
a. Router based AAA/RADIUS authentication using the existing (albeit modified) login page, either hosted on the router or remotely.
b. OR ?????????????
Obviously, Options 1 and 2 are NOT viable options. I coded the current logon page using a Cisco provided template that works perfectly, with the exception of the Security Warning they receive when they initially open their web browser.
With all said above, how do I overcome the above issues. (I should note that the site does not have a Domain Controller or any server for that matter and neither does corporate. Therefore, any authenticate MUST be handled by the existing LOCAL hardware: router, switches, or WLC.)
Existing hardware:
· Cisco 2621 Max D/F and Latest available IOS
· Cisco 3524-PWR – Latest IOS – working as Distribution Switch in MDF
· Cisco 3650-24-POE – Access Point Switch in IDF with GB link to MDF Switch.
· 12 Cisco 1100 Series APs, all Wired POE connections between APs and 3560 Switch
Any suggestions? I need to resolve this quickly and my research has turned up nothing.
I know there are more than one way to skin a cat (not that I am trying to skin a cat … who but a sadist would want to?) so I am sure there is a workable solution for this complication.