topic Re: ISE Certificate Installation in Network Access Control

ISE Certificate Installation

rajithahettiarachchi — Thu, 16 May 2019 18:21:03 GMT

Hi,

I have installed ISE 2.4, and configured for Wireless Guest Access (Self Registration Portal). So, but when the users are trying to browse internet they are getting https error message, because they need to install firewall's certificate to their devices and I have to manually install firewall certificate to their devices. How can I automatically install my firewall certificate to the Guest Devices when they are connecting to the network?

Thanks,

Rajitha

Re: ISE Certificate Installation

Jason Kunst — Thu, 16 May 2019 19:04:44 GMT

ISE doesn’t have the ability to install certificates for resources in your network for such purpose. I am not sure what you mean by a firewall? Do you have a proxy inline? This will need to have a valid certificate for guests

Please check http://cs.co/ise-guest prescriptive guest guide that talks about https redirects (not recommended) and also well known certificates.

Re: ISE Certificate Installation

Arne Bier — Fri, 17 May 2019 11:00:02 GMT

If any device throws up a certificate warning it means that it cannot verify the certificate. What kind of certificate is this and who signed it? If it was not signed by a public CA then I would argue that is a mis-configuration on that TLS interception device. It needs to present a public CA cert. If that device is trying to intercept all traffic (which is becoming more common place now because companies want to see what's inside these TLS flows). In a company owned/managed device the IT guys can push this to the end device any no one is any the wiser. But in a guest portal situation where you have un-managed devices, this is impossible to achieve with a PKI cert.

Re: ISE Certificate Installation

rajithahettiarachchi — Sun, 19 May 2019 13:37:00 GMT

Dear @Jason Kunst ,

Thanks for the reply, actually when the internet links are connected to the firewall, in the firewall HTTPS packet inspection is enabled. So, when the guests are allowed to connect internet, they are going to internet via firewall, and without firewall certificate, guests are getting an error.

Thanks,

Rajitha

Re: ISE Certificate Installation

rajithahettiarachchi — Sun, 19 May 2019 13:30:28 GMT

Dear @Jason Kunst ,

Thanks for the reply, actually when the internet links are connected to the firewall, in the firewall HTTS packet inspection is enabled. So, when the guests are allowed to connect internet, they are going to internet via firewall, and without firewall certificate, guests are getting an error.

Thanks,

Rajitha

Re: ISE Certificate Installation

rajithahettiarachchi — Sun, 19 May 2019 13:36:13 GMT

Dear @Arne Bier ,

Thanks for the reply and Our firewall certificate is signed by public CA and it's a valid one. As you mentioned, we are using HTTPS inspection. So, when the guest users are connected to the network, we need to install firewall certificate to user's device automatically. So, I can upload my firewall certificate to ISE and can i push uploaded to a guest device?

-- Rajitha

Re: ISE Certificate Installation

Arne Bier — Sun, 19 May 2019 21:33:47 GMT

If I were a guest on your network, I would run a mile if you're asking me to install something, just so that it can work. No Guest service should ask or expect anyone to install a certificate into your end device's Trust Store. The Trust Store should be guarded and left alone to the OS manufacturer or to MDM/BYOD onboarding use cases.

So there are two things here. Client to ISE Portal will build a TLS connection and the cert that is used here should be a publicly signed cert that lives on the ISE PSN. You end devices should have no issues with that. If that causes a cert warning on the end device because the end device doesn't trust the ISE cert, then there is a problem with the CA (weird/unknown/untrusted CA that signed the ISE cert) or the end device doesn't have the Root CA cert for that CA.

Once user has successfully authenticated on the portal and sends first TLS packet to the firewall, then the firewall should intercept that and masquerade as the end destination - but again, this should be transparent to the user. A firewall cannot have a single cert that handles every possibly domain, therefore YOU (end device) have to install its cert, so that you don't freak out when you speak to the man in the middle. Excuse my cynicism, but that sounds like asking for trouble.

Maybe I am wrong. I don't have any experience with TLS interception - I just try to understand the fundamentals. And in TLS 1.3 I believe things will get even trickier.

Re: ISE Certificate Installation

Jason Kunst — Sun, 19 May 2019 21:50:29 GMT

If you have a certificate warming just going to internet then likely has nothing to do with ISE. ISE certificate is only presented in redirect state . If still needing assistance please work with with TAC

Re: ISE Certificate Installation

rajithahettiarachchi — Mon, 20 May 2019 14:50:12 GMT

@Jason Kunst thanks for the reply..! I will check with cisco.

Re: ISE Certificate Installation

rajithahettiarachchi — Mon, 20 May 2019 14:54:02 GMT

@Arne Bier , thanks for the advice and the reply.

-- Rajitha