topic DigiCert with Guest Portal - Not Trusted? in Network Access Control

DigiCert with Guest Portal - Not Trusted?

Matthew Martin — Wed, 23 Nov 2022 17:37:52 GMT

Hello All,

ISE v2.7

I just uploaded a new wildcard DigiCert certificate to ISE with the Role of Guest Portal. I uploaded the new wildcard cert + the private key that my manager gave me. I checked the Allow wildcard certs checkbox and everything appeared to update just fine.

So I then took my Android cell and connected to our Guest Wi-Fi. When I got redirected to the login page, I got the message: "The network you're trying to join has security issues."

When I click View Certificate in the browser window on my cell, it shows the portal login url, and says "This certificate isn't from a trusted authority". It shows Issued to: CN: *.mycompany.com and Issued by: DigiCertTLS RSA SHA@%^ 2020 CA1.

Why wouldn't DigiCert be considered a Trusted Authority? I'm confused...

Thanks in Advance,
Matt

Re: DigiCert with Guest Portal - Not Trusted?

balaji.bandi — Wed, 23 Nov 2022 17:47:38 GMT

how is your URL redirect FQDN

is this example : guestportal.mycompany.com ? or IP ?

do you have DNS entry guestportal.mycompany.com

Note : how about try other device ..part of testing ?

Re: DigiCert with Guest Portal - Not Trusted?

Matthew Martin — Wed, 23 Nov 2022 18:00:36 GMT

Thanks for the reply.

We have it setup to use Hostname, i.e. ise-location1.mycompany.com

Re: DigiCert with Guest Portal - Not Trusted?

Milos_Jovanovic — Wed, 23 Nov 2022 18:55:40 GMT

Hi Mathew,

I assume you have installed Root and Intermediate CA certificates under Trusted Certificates?

Which version exactly are you running? If it is v2.7 under patch 5, you might be hitting CSCvu84184.

Kind regards,

Milos

Re: DigiCert with Guest Portal - Not Trusted?

Matthew Martin — Wed, 23 Nov 2022 19:02:15 GMT

So the Cert from DigiCert came with the Wildcard cert and a Root Cert. When I looked at the Root cert it appears to be the same as the existing DigiCert Root Cert that's already uploaded to ISE...

If I try to upload the Root cert that I received with the new wildcard cert, would it give me an error/warning if that exact same cert already exists?

Re: DigiCert with Guest Portal - Not Trusted?

Ambuj M — Wed, 23 Nov 2022 19:16:24 GMT

don’t think thats the issue here, if the root cert was not in trusted cert store, it wont even let to install wildcard cert and private key.

review this link :

https://community.cisco.com/t5/network-access-control/ios-wireless-users-being-prompted-to-trust-public-certificate/td-p/3820678

Re: DigiCert with Guest Portal - Not Trusted?

Matthew Martin — Wed, 23 Nov 2022 19:40:11 GMT

Ok gotcha, thanks for the reply. That part makes sense...

From the link, I know they're specifically talking about iOS and I'm trying on an Android. But, sounds like it could be the same issue... Since I do not get the message on a Windows PC, should I assume this is just something with iOS and Android devices, and there's not really a "fix" per-say?

I know it also mentioned something about the Cert having a CRL list. Not really familiar with what that is. Is there a way to check if our Cert has a Certificate Revocation List?

Re: DigiCert with Guest Portal - Not Trusted?

Milos_Jovanovic — Wed, 23 Nov 2022 20:00:02 GMT

If you try to upload already existing cert, yes, it would warn you that there is a cert with same private/public key already existing.

I don't think it is the issue that @Ambuj M mentioned, because over there, EAP is in use, while you are using CWA with Guest portal, so different principles are in use.

What is your exact ISE version? As I mentioned, there is a known bug in which ISE is not sending entire CA chain with certificate with Guest portals.

Kind regards,

Milos

Re: DigiCert with Guest Portal - Not Trusted?

Matthew Martin — Wed, 23 Nov 2022 20:02:07 GMT

We are running:

Version: 2.7.0.356

Patch Information: 3

Re: DigiCert with Guest Portal - Not Trusted?

Ambuj M — Wed, 23 Nov 2022 20:20:49 GMT

open the public cert, details, you would see crl distribution list field.

it may be the bug mentioned by @Milos_Jovanovic

on a separate note i would think either peap or cwa, the crl issue will apply in both cases since the client need to validate ise cert in both cases, is that not right ?

when you accept certificate once, and delete mac and get redirected again, does it prompt the cert error again ?

Re: DigiCert with Guest Portal - Not Trusted?

Milos_Jovanovic — Wed, 23 Nov 2022 20:36:05 GMT

In that case, most likely you are hitting CSCvu84184 which is solved in v2.7 patch 5. I would recommend to apply latest patch, and then to repeat testing.

Kind regards,

Milos

Re: DigiCert with Guest Portal - Not Trusted?

Matthew Martin — Mon, 28 Nov 2022 16:18:45 GMT

Thanks for the reply Milos.

I'm pretty sure the answer is yes. But, when installing patches, are they cumulative, i.e. would I just need the newest patch?

Re: DigiCert with Guest Portal - Not Trusted?

Milos_Jovanovic — Mon, 28 Nov 2022 19:11:17 GMT

Yes, patches are cumulative, and you only need to install latest one.

Kind regards,

Milos

Re: DigiCert with Guest Portal - Not Trusted?

Mark Elsen — Wed, 30 Nov 2022 09:22:15 GMT

- As already noted go for the latest in the 2.7 train because patches are cumulative avoid p5 because of : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa00729