Thanks for your reply.

 

But the CSCvp75207 refers to ISE System Certificate, which are also used for EAP. In my case these are public signed certificates (i.e. Comondo) used to serve the Guest Portal.

Here I have a more insecure feeling of safety to check the boxes to "Trust for authentication within ISE" and "Trust for client authentication and Syslog" (also stated in CSCut26025), because this are public CAs, not internal).

 

Regards

ISE system certificates can be used for Admin, EAP, RADIUS DTLS, pxGrid, SAML, or Portal.  Portal includes your guest portal certificate, it is a system certificate.  Even if it is publicly signed.

 

My initial discussion/post was just about the guest portal, where the chain is not provided through ISE with public signed certificate(s).

For visitors/third parties people not belonging to the company the guest portal should (is) configured with an public trusted certificate. To allow a public certificate to be allowed for client auth, syslog, and so on is not common or secure I think.

 

With internal system certificates (used for company own/internal portals) where you have the "issue", the provided solutions/workarounds would be fine, but not to use for public ones.

 

Edit: or did I misunderstood something? 

 

Regards

My issue was with my guest portal. Our guest portal certificate is signed by a public ca. The guest portal was sending it's certificate to external endpoints and not the entire cert chain (the public root and intermediate). This was causing the endpoints to not trust the https connection to our guest portal.

The portal certificate is installed under the system certificates, (Administration, system, certificates, certificate management, system certificates) and the "Use by" is set to portal the "Portal Group" tag is guest portal.

The public root and intermediate certs, that my guest portal chains to for external clients to build a trust with, are installed under trusted certificates. Then the guest portal itself (work centers, Guest access, portals, guest portal) is set to use the certificate group tag, guest portal. This builds the connection within ISE between the guest portal and the certificate I want the guest portal to present to external clients.

I agree that selecting the boxes for auth within ise, client auth and syslog, and admin based auth is not ideal and I would think not intended by Cisco. However, it just allows those root certs for those purposes it doesn't necessarily enable them. For example if you don't have cert based admin authentication enabled under admin access then ISE won't accept a cert for that purpose anyway.

EAP could be a concern, but if you have the correct client cert validations in your authc policies then a cert presented to ISE for EAP using the same root ca would be denied.

Anyway, all I'm saying is it fixed the issue for me, we could debate security implications all day.

Thank you very much for your answer. I agree with you and you describe it very well.

 

Unfortunately the given workaround did not work for me. Possibly this is also related to the issuer 🤷‍♂️(and is treated differently by ISE).

But I think the behavior should be changed or corrected by Cisco, because I find this quite confusing (and give me security concerns).

Selecting the boxes for auth within ise, client auth and syslog, and admin based auth or interception or "correcting" by the policy should not be the goal.

 

..."we could debate security implications all day"....agree totally ;-)

 

Regards

Did you also check via openssl? i.e.  .\openssl.exe s_client -showcerts -connect website.domain.name:port

 

I performed all steps after each other from the workaround stated in CSCut26025, with the same result.

 

The issue is not with Windows Clients (using either Firefox, Chrome, Edge Chromium, Chrome) or Apple iPhone for example, but with Android Devices.

Windows Devices trust the chain, even if the chain is not send properly. Android Devices gave me the same as openssl shows up:  Verify return code: 21 (unable to verify the first certificate).

I tested witch certificates signed by Comodo for one webserver and the other one was with a wildcard certificate even in Version 2.6 Patch 1. 

 

Regards

 

 

CSCvp75207 is due to another bug fix in ISE 2.4 Patch 8 but NOT resolved in ISE 2.4 Patch 9.

However, the issue documented by CSCut26025 is not related at all to CSCvp75207.

Thanks for your reply. Through the circumstances we decided to wait for 2.4 Patch 10 and also in Version 2.6 for Patch 2 before installing an other Patch than Patch 6 for ISE 2.4 or ISE 2.6 without Patch ;-)

Patch 10 is already release. Have you test it with patch 10?
I have the same issue with comodo certificates.

Hi,

 

2.4 Patch 10 has already launched. Have you test it ?

I have the same issue with comodo certificates with 2.4 patch 9.

I've not tested it yet, but CSCvp75207 is specifically called as being resolved by patch 10. So it should be fixed in 2.4 patch 10.

I have updated the environment to patch 10 and tests also with openssl (see above) were successful. Now only patch 3 of version 2.6, which is also affected, is missing ;-)

 

Regards