https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4721137#M578237 But your clients won’t trust a self-signed certificate. If you are using a public certificate for admin, you should get a new certificate and add the sponsor URL as SAN entry. Same if you are using a private CA.<BR /> Mon, 14 Nov 2022 15:50:19 GMT ahollifield 2022-11-14T15:50:19Z https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4720975#M578225 <P>Hi Guys,</P> <P>I have a customer who is wanting to setup Guest and Sponsor Portals on their ISE (2.4 Patch 8).&nbsp; &nbsp;Both portals are configured to use the same Certificate Group Tag, the certificate is signed by Entrust and configured for Portal usage.&nbsp; &nbsp;</P> <P>The guest portal is configured to use port 8443 on Gig 2</P> <P>The sponsor portal is configured to use port 8443 on Gig 0 and using a FQDN (Internal DNS servers have been updated to resolve the ISE ip)</P> <P>When a wireless client accesses the guest portal, everything works fine.&nbsp; However, when a client accesses the sponsor portal from the internal network, the ISE is presenting its admin certificate rather than the Entrust one.&nbsp; As such the client receives a certificate warning&nbsp;</P> <P>Its as if the ISE is ignoring the certificate group tag that its been configured with.</P> <P>Any idea on how to resolve this issue please?</P> <P>Thanks&nbsp;</P> <P>Scott&nbsp;</P> <P>&nbsp;&nbsp;</P> Mon, 14 Nov 2022 11:49:24 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4720975#M578225 scottbreslin 2022-11-14T11:49:24Z https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4721077#M578230 <P>Yup really common issue on ISE.&nbsp; I usually put the sponsor portal URL as a SAN name in the admin certificate since ISE does a very strange redirection to the sponsor portal.&nbsp; It connects to standard HTTPS/443 first which uses the admin certificate.</P> <P><A href="https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743964.html" target="_blank">https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743964.html</A></P> Mon, 14 Nov 2022 14:10:41 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4721077#M578230 ahollifield 2022-11-14T14:10:41Z https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4721129#M578236 <P>Thanks for the reply.</P> <P>So based on what you have said, I can create a self signed certificate, add the FQDN of the sponsor portal into the SAN and tick the admin usage box.&nbsp; Do i also need to tick the portal usage box?</P> Mon, 14 Nov 2022 15:29:52 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4721129#M578236 scottbreslin 2022-11-14T15:29:52Z https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4721137#M578237 But your clients won’t trust a self-signed certificate. If you are using a public certificate for admin, you should get a new certificate and add the sponsor URL as SAN entry. Same if you are using a private CA.<BR /> Mon, 14 Nov 2022 15:50:19 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4721137#M578237 ahollifield 2022-11-14T15:50:19Z https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4721147#M578238 <P>Yes the admin portal is currently using a cert signed by their private CA</P> Mon, 14 Nov 2022 16:08:58 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-guest-and-sponsor-portal-issue/m-p/4721147#M578238 scottbreslin 2022-11-14T16:08:58Z