Search This Blog

Monday, May 20, 2013

Cisco WLC Certificate signing



In the following post I will explain and describe the steps needed for create, sign and install a certificate on Cisco WLC controller for web authentication portal.

In general the process goes like this:
     1.       You create a CSR and send it to a 3rd party CA for signing
     2.       The CA returns two certificates: device and server
     3.       You use a private key along with the CA certificates to create the final certificate
     4.       Install the certificate on the controller

CSR (Certificate Signing Request) - A CSR is a message that an applicant sends to a CA in order to apply for a digital identity certificate. For the most part, a third-party CA company, like Entrust or VeriSign, requires a CSR before the company can create a digital certificate.

CA (Certificate Authority) – Server/company which responsible for validate and assign certificates, few main CA are: GoDaddy, RapidSSL, Verisign etc.

At first we will need to download and install OpenSSL program version 0.9.6a, and if you are working on Microsoft Windows you will need OpenSSL for windows which can be download from the following URL:
After downloading the file, unzip it and run the setup.exe file, follow the instructions and after the installation process ends reboot the computer.

Now let’s begin; first step is to create a CSR:
1.       Open CMD with administrative privilege (Start->Run, type CMD and press CTRL+SHIFT+ENTER)

2.       Go to OpenSSL working directory (C:\>cd C:\Program Files\Cendio   Systems\OpenSSL)

3.       Type:
set OPENSSL_CONF=C:\Program Files\Cendio Systems\OpenSSL\openssl.cnf, and click enter

4.       Type: openssl.exe and click enter


5.  Type: req –new –newkey rsa:2048 –nodes –keyout mykey.pem –out myreq.pem

6.       A configuration form will appear and you will have to type some information, the most important one is the CN (Common Name) which must be the same as the controller host name and can be retrieved from the controller by entering Controller->Interfaces->DNS Host Name



Process output example:

OpenSSL> req –new –newkey rsa:2048 –nodes –keyout mykey.pem –out myreq.pem
Using configuration from C:\Program Files\Cendio Systems\OpenSSL\openssl.cnf
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
...........................................+++
.............................................................+++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IL
State or Province Name (full name) [Some-State]:IL
Locality Name (eg, city) []:TLV
Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMPANY.COM
Organizational Unit Name (eg, section) []:IT_WiFi
Common Name (eg, YOUR name) []:wifi.company.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
OpenSSL>

One more important thing is to remember the challenge password as we will need it later in the process.

7.       At the end of the process we will find 2 new files in the OpenSSL working directory: mykey.pem and myreq.pem. Keep the file mykey.pem in safe place along with the challenge password and send the file myreq.pem to the CA for signing.

8.       After the CA will sign your request he will send you back two files – root certificate and device certificate, now we will need to join these two into one file. Open with your favorite text editor the device certificate and copy its content to a new text file, then open the root certificate and copy its content to the new file right below the device certificate content.


     Paste certificates together in order to create one all-in-one

9.       Save the new file as all_certs.pem

10.   Copy the file all_certs.pem to OpenSSL working directory

11.   Type: pkcs12 -export -in all_certs.pem -inkey mykey.pem -out all_certs.p12 -clcerts -passin pass:123456 -passout pass:123456

*the password is the one that we enter in step 6

OpenSSL> pkcs12 -export -in all_certs.pem -inkey mykey.pem -out all_certs.p12 -c
lcerts -passin pass:123456 -passout pass:123456
Loading 'screen' into random state - done

12.   Type: pkcs12 -in all_certs.p12 -out final-cert.pem -passin pass:123456 -passout pass:123456

OpenSSL> pkcs12 -in all_certs.p12 -out final-cert.pem -passin pass:123456 -passo
ut pass:123456
MAC verified OK

13.   Now we have the file final-cert.pem, this is the file that we will install in the controller. Put the file on computer which runs TFTP server and make sure that the controller has access to this computer (most of the problems can be found in this stage where firewalls, NAT and all kind of IP address issues prevent from the controller to access properly to the TFTP server)

From here there are two ways to download the certificate to the controller: web GUI or CLI, I prefer the CLI because it gives you an error output in case there is something wrong but I will show both ways.  
    
14.   Web GUI: enter the controller web GUI and go to Security (1) -> Web Auth (2) -> Certificate and check the Download SSL Certificate checkbox (3)


15.   Type in the required information such the server IP, file name and password (from step 6), in the end click on Apply (in the upper right corner).

     
16.   After the controller will finish download the certificate he will redirect you to reboot system page to save the configuration and reload the controller for the certificate to take effect.
     
17.   CLI: login into the controller using SSH

18.   Type the following commands with the corresponding information:

transfer download mode tftp
transfer download datatype webauthcert
transfer download serverip <TFTP_SERVER_IP_ADDRESS>
transfer download path \
transfer download filename <FILE_NAME>
transfer download certpassword <PASSWORD>

19.   Type: transfer download start to start download and install the certificate

(Cisco Controller) >transfer download start

Mode............................................. TFTP 
Data Type........................................ Site Cert    
TFTP Server IP................................... 172.16.0.80
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... final-cert.pem

This may take some time.
Are you sure you want to start? (y/N) y

TFTP Webauth cert transfer starting.

TFTP receive complete... Installing Certificate.

Certificate installed.
                        Reboot the switch to use new certificate.

In the end reboot the switch by issuing the command reset system.

In order to verify go to Security->Web Auth->Certigficate on the controller web GUI and see the certificate details as validation dates and type.



NAT redundancy between two links



Network topology:


R1 is connected to 2 links: primary and backup
R5 reside in subnet 192.168.15.0/24, R1 will NAT this subnet with the primary interface IP address (10.1.12.1) and in case of fail-over he will switch to the backup link and NAT the network with the backup interface IP address (10.1.13.1).

R1 relevant configuration:

interface FastEthernet0/0
 ip address 192.168.15.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 10.1.12.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet1/0
 ip address 10.1.13.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
ip route 0.0.0.0 0.0.0.0 10.1.12.2 name DEFAULT_ROUTE
ip route 0.0.0.0 0.0.0.0 10.1.13.3 250 name BACKUP_ROUTE
!
ip nat inside source route-map RM_BACKUP_NAT interface FastEthernet1/0 overload
ip nat inside source route-map RM_PRIMARY_NAT interface FastEthernet0/1 overload
!
ip access-list standard LAN
 permit 192.168.15.0 0.0.0.255
!
route-map RM_PRIMARY_NAT permit 10
 match interface FastEthernet0/1
!
route-map RM_PRIMARY_NAT deny 20
!
route-map RM_BACKUP_NAT permit 10
 match interface FastEthernet1/0
!
route-map RM_BACKUP_NAT deny 20
!

Note that the routing fail-over is done by using static and floating routes, for more accurate and robust solution we will have to use dynamic routing protocol or at least IP-SLA solutions.

R5 ping 192.168.41.1 when the primary link is up:



R5 ping 192.168.41.1 when the primary link is down: