topic Re: ISE Wildcard Cert issue in Network Access Control

ISE Wildcard Cert issue

N3om — Fri, 17 May 2024 12:27:21 GMT

I have just re-added a wildcard cert to ISE as it was about to expire, when I now try connecting to guest wireless network I don tget to the portal page and i get a warning saying this web page at https://guest.boarders.co.uk :8443 could not be loaded due to net:: err_ssl_version_or_cipher_mistmatch

aNy ideas what I might have missed please.??

Thanks

Re: ISE Wildcard Cert issue

balaji.bandi — Sun, 19 May 2024 09:24:33 GMT

what certificate was there before Wild card ? or SAN ?

Look at the guide lines :

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

what ISE version ? if the cert is good and try remove old cert and reload ISE and test it.

check below :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480

Re: ISE Wildcard Cert issue

Arne Bier — Sun, 19 May 2024 21:09:59 GMT

@N3om is this the error message you are seeing when you are redirected to the ISE Portal page on a guest device? Doesn't sound like a certificate issue, since the certificate does not dictate what version of TLS is used.

Examine the new certificate anyway - does the browser manage to load it and can you verify that the new certificate is being presented to the browser?

Run a tcpdump on the ISE node to see what is going wrong with the TLS exchange.

Have you tried restarting the PSN node (app stop ise, reload)?

Re: ISE Wildcard Cert issue

N3om — Tue, 21 May 2024 20:57:13 GMT

@Arne Bier I think we had hit a bug which Cisco published a while back as I went through the steps Cisco suggested and it seems to have worked.

1. create a self signed Cert for Guest portal

2. delete new wildcard cert and old if still there

3. reload PSN and PAN nodes.

Hers another question if I may, when i watch tutorials online for adding wildcard cert via CSR, in the first DNS field is e.g

ise.local.co.uk, then the second dns fielsd is *.local.co.uk, I havent done it like this as the last cert didnt have it I have got

*.boarders.co.uk

boaders.co.uk

our guest portal is actually guest.boaders.co.uk

any idea which is the correct way please.?? and why.?????

Thanks

Re: ISE Wildcard Cert issue

Arne Bier — Tue, 21 May 2024 22:36:49 GMT

Glad you found a resolution for the cert issue via the TAC. I will keep that one in mind.

As for the question of SAN fields, this is up to

1) How the CA populated them (usually CA's will ensure that the Subject CN is always present somewhere in the SAN - e.g. if you submit a CSR with a Subject CN = www.zebra.com and forget to include www.zebra.com in the SAN, then any good CA will add it into the SAN)

2) How the browser chooses to select amongst multiple SAN entries. Perhaps there is an RFC out there that recommends/suggests the ordering, but I would think that the ordering of the SAN entries is arbitrary - as long as ONE of those entries satisfies the matching requirements - that's all that's required.

Re: ISE Wildcard Cert issue

N3om — Wed, 22 May 2024 19:17:43 GMT

@Arne Bier

FYI
CSCwc64480

Re: ISE Wildcard Cert issue

MHM Cisco World — Wed, 22 May 2024 19:24:56 GMT