350-401 · Question #1068
Refer to the exhibit. An engineer is configuring WebAuth on a Cisco Catalyst 9800 Series WLC. The engineer has purchased a third-party certificate using the FQDN of the WLC as the CN and intends to us
The correct answer is A. Virtual IPv4 Hostname must match the CN of the certificate. For clients to avoid certificate errors on a Cisco Catalyst 9800 Series WLC WebAuth splash page, the Virtual IPv4 Hostname must be configured to precisely match the Common Name (CN) of the third-party certificate.
Question
Refer to the exhibit. An engineer is configuring WebAuth on a Cisco Catalyst 9800 Series WLC. The engineer has purchased a third-party certificate using the FQDN of the WLC as the CN and intends to use it on the WebAuth splash page. What must be configured so that the clients do not receive a certificate error?
Exhibits
Options
- AVirtual IPv4 Hostname must match the CN of the certificate
- BVirtual IPv4 Address must be set to a routable address
- CWeb Auth Intercept HTTPs must be enabled
- DTrustpoint must be set to the management certificate of the WLC
How the community answered
(32 responses)- A72% (23)
- B16% (5)
- C9% (3)
- D3% (1)
Why each option
For clients to avoid certificate errors on a Cisco Catalyst 9800 Series WLC WebAuth splash page, the Virtual IPv4 Hostname must be configured to precisely match the Common Name (CN) of the third-party certificate.
When a client is redirected to the WebAuth splash page, their browser attempts to establish an HTTPS connection to the WLC's virtual IP address. For the certificate to be trusted and avoid security warnings, the hostname presented by the WLC (its Virtual IPv4 Hostname) must exactly match the FQDN specified in the Common Name (CN) field of the installed third-party certificate.
While the Virtual IPv4 Address must be routable for clients to reach the WLC, configuring it as such does not resolve certificate name mismatch errors.
Web Auth Intercept HTTPS forces HTTP traffic to be redirected over HTTPS, but it does not address the issue of a certificate hostname mismatch once the HTTPS connection is initiated.
The trustpoint is where the certificate itself is managed and stored on the WLC, but simply setting it to a management certificate does not configure the virtual hostname to match the purchased certificate's CN.
Concept tested: Cisco WLC WebAuth certificate configuration
Source: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_secure_web_authentication_wireless_17_3.html
Topics
Community Discussion
No community discussion yet for this question.

