topic Cisco ISE - Guest portal Cert query in Network Access Control

Cisco ISE - Guest portal Cert query

DanWeinstock909 — Mon, 11 Mar 2019 01:43:06 GMT

I have brief question regarding the Cisco ISE appliance and guest portal cert’s.

Ideally in my customer environment we want to hide our infrastructure hence the below...

Summary

Guest Web authentication is working through the controller and then passed onto the ISE server
The business would like to remove the ‘untrusted certification error’ that users are getting when they login
On the controller I can set the ‘FQDN’ via the virtual interface and apply/obtain a public cert for that name.

Challenge

Currently the ‘hostname’ of the ISE server is ‘prod-net-ise01’ (that is the mgmt name of the device)
I can only seem to generate a cert for the ‘hostname’ of the device and that will not hide what it is..

Is it possible to apply a HTTP/HTTPS public cert on the ISE server with a FQDN that does not match the hostname?

i.e. similar to the way that the controller does it..

If not then what would the process be to change the ‘hostname’ of the ISE device, Can that only be done via the CLI?

Appreciate any help or pointing me in the right direction.

Cisco ISE - Guest portal Cert query

JASON BOYERS — Wed, 23 May 2012 13:14:45 GMT

I just tried to use a wildcard certificate, and received the error message that the "Management certificate must contain host FQDN in CN component of Subject field." This is a HUGE issue. Currently, I can use wildcard certs on the WLCs without an issue. And, I can import a separate one for web logins from the one used for management. ISE really needs to have the ability to import a separate, non-"Management" certificate just used for "Guest" logins. Not sure if that is part of the blueprint for ISE 1.2, but it needs to be.

Re: Cisco ISE - Guest portal Cert query

surzn — Sun, 03 Jun 2012 08:07:51 GMT

I am meeting a similar issue, which is for sponsor portal, not for guess portal, because we put guest portal on the WLC.

In ISE 1.1, an option for sponsor portal FQDN is found in the general options. However, it seems not working.

I've opened a TAC case, Cisco engineer said he turned to developer for further checking.

Hopefully it can be addressed in next week.

Sent from Cisco Technical Support iPhone App

Re: Cisco ISE - Guest portal Cert query

surzn — Sun, 17 Jun 2012 04:36:48 GMT

It's confirmed not supported in current version sadly.

We have to change the host name ...

Sent from Cisco Technical Support iPad App

Re: Cisco ISE - Guest portal Cert query

JASON BOYERS — Sun, 17 Jun 2012 13:14:14 GMT

This last week at CiscoLive, I heard that there may be a workaround using Subject Alternate Names in the certificate. Now, this is not something that can be done using the CSR from ISE. I'm waiting for some documentation on the process, but I aat least have a little bit of hope.

Cisco ISE - Guest portal Cert query

S M85 — Mon, 18 Jun 2012 09:50:43 GMT

Hi Jason,

If you got an update related to Subject Alternate Names could you post the information? I'm also interested in this functionality to fix the issue so that we can give the appliance multiple certificates with other domain names.

Regards,

Sander

Cisco ISE - Guest portal Cert query

aman.diwakar — Tue, 05 Mar 2013 22:25:35 GMT

This question has been answered here:

http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bd0953.shtml

Cisco ISE - Guest portal Cert query

bikespace — Wed, 06 Mar 2013 11:11:41 GMT

I don't believe there's an easy way around this currently. The URL for the PSN is created dynamically and is always the real hostname of the PSN node. If you have the luxury of multiple appliances (or VMWare partitions) available, then you can have a couple of your PSN's dedicated for guest (and maybe sponsor) access. These can then be on separate (more covert) nostnames and even on separate domain so that guest users don't see your internal domain. For split domains you will need at least 1.1.1 patch 4 (unless you can use a DNS bodge which we have tested).

Cisco ISE - Guest portal Cert query

S M85 — Thu, 07 Mar 2013 08:45:27 GMT

Hi Aman and Bikspace,

For the record: i have the documentation and the SAN field isn't resolving the issue for multple domain names. Altought you can specify other hostnames, it is still in the same domain suffix.

Like Bikespace mention: the solution for the problem can be resolved in this way.

Setup a Deployment for two ISE nodes. Take up a VM and built this for DMZ purpose. You can install a PSN with an other DNS suffix. As long as these domain names are resolvable in the DNS deployment it will work. I've build this and it works with 1.1.2 patch 2. I thought this would be a problem for the AD agent on the PSN with an other DNS suffix than the real Domain Controller in the Active Directory domain, but this isn't; it will work.

Extra tip: you can't register a 'real' certificate on a fake DNS name. So .local and .lan should be denied by your CA. So this solution above is the only solution for now. Also the problem lies in ISE. You can't install another certificate that is different than the hostname+suffix of the PSN node. I prefer that Cisco solve this issue like the behavior in Cisco ASA.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml

or on the same interface with differents ports! it shoudn't be so hard for Cisco to implement this.