topic ISE Guest Portal Certificate Trust in Endpoint in Network Access Control

ISE Guest Portal Certificate Trust in Endpoint

Jay Tiwari — Fri, 28 Jun 2019 06:17:35 GMT

Hi Experts,

I are deploying guest and BYOD solution for customer and customer has given me certificate for portal which is signed by sub CA.

Now sub CA is not available in endpoints, however, root CA cert is available in all the endpoints.

when guest and BYOD user connects to portal they get certificate error because ISE sends certificate of portal only.

Thus in order to rid off certificate error, can ISE be configured in such a way that ISE will send portal certificate with root or sub CA or CA chain?

Regards,

Jay

Re: ISE Guest Portal Certificate Trust in Endpoint

Arne Bier — Fri, 28 Jun 2019 06:51:12 GMT

Hi Jay

have you already installed the entire CA cert chain in your ISE nodes? I thought that ISE always returns the entire CA cert chain if the client requests it. This is the part I am vague on. I think if the client doesn’t have the entire chain then it’s up to the client to request this from the server.

Re: ISE Guest Portal Certificate Trust in Endpoint

Jay Tiwari — Fri, 28 Jun 2019 07:16:10 GMT

Yes, i did import entire CA chain in ISE hwoever when user connects in Guest portal they get error cert can not be validated

Re: ISE Guest Portal Certificate Trust in Endpoint

Jay Tiwari — Fri, 28 Jun 2019 07:34:50 GMT

this issue is because of bug CSCut26025.

Thanks for support.

Regards,

Jay

Re: ISE Guest Portal Certificate Trust in Endpoint

Arne Bier — Fri, 28 Jun 2019 10:35:50 GMT

Thanks for sharing this wonderful news. Is it fixed in any 2.4 patch? So if I am installing a CA chain I have to restart services on all affected nodes?

Re: ISE Guest Portal Certificate Trust in Endpoint

Jay Tiwari — Fri, 28 Jun 2019 10:39:57 GMT

Nope, It doesn't work. I have opened SR#687020206.

Regards,

Jay

Re: ISE Guest Portal Certificate Trust in Endpoint

CarlCarlson1234 — Fri, 28 Jun 2019 14:37:12 GMT

I had this issue after upgrading from 2.4 patch 6 to patch 8. Tac was able to direct me to CSCvp75207. I added trust for certificate based admin authentication to the root and intermediate ca that signed the guest portal cert, rebooted the server (standalone lab) and my portals started sending the full chain.

Re: ISE Guest Portal Certificate Trust in Endpoint

stormfidus — Wed, 03 Jul 2019 11:15:07 GMT

Hi Arne

I've heard that this should be fixed in Patch 10 which is planned to be released around September.

Patch 9 was just released yesterday, and it does not have a fix for it.

Re: ISE Guest Portal Certificate Trust in Endpoint

hslai — Wed, 03 Jul 2019 18:31:42 GMT

CSCut26025 is a doc bug and resolved already by updating ISE CCO docs.

CSCvp75207 is a tech bug and affecting ISE 2.4 Patch 8 and 9. For workaround, please check the bug info page.

Re: ISE Guest Portal Certificate Trust in Endpoint

randomuser — Thu, 04 Jul 2019 06:52:42 GMT

Hi,

I have the same/similar issue with a public guest portal. Trying the workarounds described in CSCut26025 and CSCvp75207 did only solve partial for me. Because Windows and Apple Devices trust the cert , but not Android Devices. Check with openssl (i.e. .\openssl.exe s_client -showcerts -connect website.domain.name:port) shows that ISE not delivers the certificate chain anymore (in my case with two different ISE installations). The chain was fully provided/send by ISE with 2.4 Patch 6 but stopped working with Patch 8 (need to rollback, then everything worked as expected again) and also testes in Lab environment with ISE 2.6 Patch 1 (same result). Here is my discussion about that: https://community.cisco.com/t5/cisco-bug-discussions/cscut26025-doc-ise-certificate-chain-is-not-being-send-till/td-p/3879470

Regards

Re: ISE Guest Portal Certificate Trust in Endpoint

hslai — Thu, 04 Jul 2019 17:54:54 GMT

This particular TAC case is actually due to CSCvp75207, as the workaround has helped.

CSCut26025 is a very old doc bug. The general workaround in restarting ISE services could have helped different underlying issues, including CSCvk65179.

Re: ISE Guest Portal Certificate Trust in Endpoint

erga — Thu, 08 Aug 2019 14:29:00 GMT

I had the same issue, ise 2.4 patch 8, and it seemed to be resolved by following the workaround. The issue I'm having now is that the clients keep disconnecting, only my guest client. I have opened tac cases on both sides, nobody seems to know why its happening, all they see is that the phone left the bss which is not true, I'm right underneath the AP.

Has anyone else seen this, I am planning to roll back to patch 6 during the weekend to see if the issue goes away.

Re: ISE Guest Portal Certificate Trust in Endpoint

Jason Kunst — Thu, 08 Aug 2019 14:34:59 GMT

Sounds like a totally unrelated issue to deal with certificate trust. I would suggest a new thread to discuss