topic Re: Sponsor portal redirect in Network Access Control

Sponsor portal redirect

Michael Bartholomæussen — Thu, 04 Oct 2018 10:55:37 GMT

Hi all,

When sponsors try to access the sponsor portal via FQDN they are unable to access the site. It works if the use the full url https://helpmyguest.xxx.com:8550/sponsorportal/PortalSetup.action?portal=5b873480-ba69-11e8-ab53-1e43651b66b5

If I test the portal form within ISE the link fails, and I receive the certificate used on the admin page?

Re: Sponsor portal redirect

paul — Thu, 04 Oct 2018 11:11:59 GMT

That is normal. If your sponsor portal certificate is not the same as the admin certificate then you are going to have issues with the sponsor portal FQDN. If the users go to http://<sponsor FQDN> it will work, but problem is ISE support HSTS and if the browser support HSTS even if they type in http:// it will get changed to https://. The certificate running on port 443 on the ISE node is the admin certificate. So you need to connect to admin side to get the URL redirect to the full sponsor URL on 8550.

Basically if you are trying to use sponsor FQDN you should be using the same certificate for the admin and sponsor portal cert then everything works fine.

Re: Sponsor portal redirect

Michael Bartholomæussen — Thu, 04 Oct 2018 11:23:16 GMT

Then the solution is to add the SAN of the sponsor portal to the admin certificate?

Re: Sponsor portal redirect

paul — Thu, 04 Oct 2018 11:25:48 GMT

Yep, your admin cert should have all the one-off type sites you plan to use in your ISE install. I usually do something like:

FQDN of all my ISE nodes

sponsor.mycompany.com

ise-bypass.mycompany.com (for the MyDevices portal I use to allow devices onto the network)

mydevices.mycompany.com (to allow for BYOD use cases)

Re: Sponsor portal redirect

Michael Bartholomæussen — Thu, 04 Oct 2018 11:30:21 GMT

Did they put that in the config guide - really doesn't ring a bell!

I'll reconfigure my certificate to include the SANs. Would it be ok to use a *, although it's not security best practise?

Re: Sponsor portal redirect

paul — Thu, 04 Oct 2018 11:41:50 GMT

Wildcard is fine. I haven't read the guides in years, but I doubt this issue is called out. The issue you are seeing is really an unintended side effect of ISE supporting HSTS. If ISE didn't support HSTS then you could tell your sponsor to go to http://sponsor.mycompany.com and everything would work perfectly.

Re: Sponsor portal redirect

Michael Bartholomæussen — Fri, 05 Oct 2018 08:39:44 GMT

Updated my certificate to include the SAN for sponsor, now it works. Again, thanks for helping Paul 🙂

Re: Sponsor portal redirect

jone1513 — Fri, 24 May 2024 18:39:45 GMT

Thank you Paul! We started getting HSTS errors with the portals on a new 3.x deployment. We neglected to check ADMIN on the PSN nodes for our signed cert. Admin (where the redirect happens) and the portal therefore were not using the same certificate.
Once we checked that both were using same, our HSTS issue was resolved. Hope this detail might help others.