topic Hi Tony. I'm not 100% sure, in Network Access Control

ISE 1.4 Guest Certificate

Mokhalil82 — Mon, 11 Mar 2019 05:50:32 GMT

I have configured ISE 1.4 for the first time and I am having trouble with certificates. I have a CA signed system certificate stored in system certificates and I can log onto ISE without certificate messages.

How do I go about guest and sponsor users in regards to certificates. Do I need a separate certificate or will the CA signed cert I have generated work.

Thanks

You can use the same

nspasov — Tue, 23 Jun 2015 21:31:22 GMT

You can use the same certificate for multiple functions in ISE. To use the same certificate for the guest portal edit the certificate and enable the "Portal" check box. Then you can tie the certificate to a Certificate Portal Group Tag. That certificate group tag can be attached to the Guest Portal that you create.

I hope this helps!

Thank you for rating helpful posts!

Hi Guys, I hope you don't

tonyp8581 — Sat, 25 Jul 2015 12:38:53 GMT

Hi Guys, I hope you don't mind me joining this discussion. I have a somewhat similar issue.

I'm running v1.3 and hostname is ise.domain.com and according to documentation, I configured my Sponsor portal as sponsor.domain.com.

This is my issue: When guest users access the Guest portal, they get redirected to ise.domain.com.

That scenario works fine.

However, when I access the Sponsor portal using sponsor.domain.com, I get the certificate warnig error. Obviously, the error is normal due to the fact I don’t have a certificate in ISE with that URL.

To get rid of the error, do I need a second certificate signed with sponsor.domain.com ?

Neno, If I understand your previous post, I should be able to use 1 certificate for both URLS's. Also, are Guest portal and Sponsor portal controlled by the same Certificate portal Group ?

Thanks !

Tony,You have three options -

Marvin Rhoads — Sat, 25 Jul 2015 17:59:40 GMT

Tony,

You have three options - a second certificate, a single wildcard certificate or a single certificate with SANs (Subject Alternative Names).

The recommended option is to use SANs. I think Cisco could improve the documentation in telling your which ones you might need ahead of time. As one sets up an ISE deployment, it's not always obvious that the use cases will indicate that in the future you might need to use one or another SAN.

Hi Marvin, I prefer the third

tonyp8581 — Sun, 26 Jul 2015 12:51:28 GMT

Hi Marvin, I prefer the third option,

I was reading up on Certificate usage and using the SAN sounds like the viable option.

I agree, Cisco should improve the documentation on the subject.

One more question, Shortly, I will add a second node. Can I enter the second Hostname into the SAN and then import that same certificate into second node ?

Thanks for your help !

Tony

Tony,Yes re your "one more

Marvin Rhoads — Sun, 26 Jul 2015 14:47:49 GMT

Tony,

Yes re your "one more question".

Any SANs must be included at the time of certification creation (for self-signed) or Certificate Signing Request (CSR) creation (for external CA-signed).

Once you have the certificate with SANs issued and installed on your Primary Admin Node, you can export it (including the server's private key) for use on other nodes in your deployment.

It's mostly the PSNs where your portals will be hosted for which this is most important. Depending on your deployment scale these may be the same as your Primary and Secondary PAN and MnT nodes.

Hi Marvin,Sorry for the delay

tonyp8581 — Tue, 11 Aug 2015 20:34:35 GMT

Hi Marvin,

Sorry for the delay. Lately, I have been very busy. My colleagues are on vacation. I'm still struggling with my Sponsor portal. I have created a new Certificate with all the DNS names in it. But the browser is not trusting my certificate. I stumbled upon the bug CSCut12983. Even though I imported a new certificate, ISE is still presenting the old certificate to the browser. Hence, the error. This morning, I opened a TAC case. They still haven't call. I'll let you know how it goes.

Tony

Is the old certificate still

Andre Neethling — Wed, 12 Aug 2015 05:31:47 GMT

Is the old certificate still in the Certificate store of all the ISE servers? If so, did you deselect the portal check box for the certificates no longer in use?

Hi Andre, Thanks for your

tonyp8581 — Wed, 12 Aug 2015 12:51:51 GMT

Hi Andre, Thanks for your response !

Presently, I have only one ISE server. About the Portal check box. The option is greyed out, I can't deselect. Also, the certificate I'm trying to delete is¸pointing to the Default portal Certificate group which I'm not using anymore. I created a new one when I imported the new certificate.

Always on that subject, is there a way to use the same Portal Certificate group when importing a new certificate ?

Tony

Did you change the portal

Andre Neethling — Thu, 13 Aug 2015 04:23:33 GMT

Did you change the portal certificate group assignment in all your portals you have configured? I think you need to change it from default, to your new certificate group tag. If it is assigned anywhere to a portal, I think it will be greyed out.

Hi Andre, you're right. the

tonyp8581 — Thu, 13 Aug 2015 12:34:54 GMT

Hi Andre, you're right.

the Blacklist Portal was still assigned to the default group tag. Out of all the portal, it is the only one using port 8444. This is why it didn't change when I introduced the new Certificate. Thanks for the heads up !

Would you know how to assign the current Certificate group tag when you're importing a new certificate ?

Thanks !

Tony

Hi Tony. I'm not 100% sure,

Andre Neethling — Thu, 13 Aug 2015 12:42:35 GMT

Hi Tony. I'm not 100% sure, but you can add a certificate group tag when you edit the certificate. Or you could add the group tag during the certificate import wizard. I never did that before though. I'll have to test it first 🙂

Good luck.

Hi Andre, sounds good.Thanks

tonyp8581 — Thu, 13 Aug 2015 12:51:40 GMT

Hi Andre, sounds good.

Thanks for your help !

Tony