today I installed Patch 8 on ISE 2.4 over Patch 6. After updating to Patch 8 the Certificate (chain) configured for guest portal with Comodo RSA Domain Validation Secure Server CA certificate was not shown anymore to the client (affected Clients are different Android Devices, Windows 10 Workstations with Chrome or Opera Browser). Even testing via openssl to verify the certificate chain results in failure in the chain (openssl result: "unable to get local issuer certificate").
We did a lot of testing with different certificates (root and/or intermediate) and certificate chains (also refered: https://community.cisco.com/t5/policy-and-access/guest-portal-url-certificate-issue-ise-2-3/td-p/3403241) and tried the workaround from CSCut26025, but this did not resolve the issue.
Then we decided to rollback to Patch 6 and everything works again as expected. The certificate chain was provided/shown through the ISE again.
Did not test with Patch 7 because we directly updated from Patch 6 to 8.
Any ideas or information when Patch 9 will be available and if this is fixed again?
Thanks in advance.
Need to update my post.
Unfortunately, we had to do a Rollback to patch 6 (which was the last one installed before patch 10). Patch 10 had fixed the bug until we applied the second ISE its own certificate for the guest portal.
After that the certificate chain for both ISE guest portals are broken (e.g. portal1.my.domain and portal2.my.domain). After the Rollback to Patch 6 everything was working again, i.e. the certificate chains were also delivered correctly.
Unfortunately I think we will stay with Patch 6 for a long time. Because for now we did enough Rollbacks (Rollback the Patches 8, 9 and 10 should be enough).
We still face the issue on our version 2.4 patch 10 deployment with public wildcard certificate.
Although 18.104.22.1687-Patch10 is listed as known fixed at CSCvp75207 it doesn't work without "Trust for certificate based admin authentication" and node reload for us. The certificate was provided by Thawte CA (Root CA is Digicert) btw.
Hope it will be fixed soon.
I have a window tonight to install patch 10.
They have only 1 psn redirecting the guest portal and I am not sure if they bought a wildcard certificate. How can I validate that?
Do you recommend to stop the window?
Check at Administration > System > Certificates which certificate is assigned to the portal group tag used by guest portal.
There are several ways to verify, like select the above mentioned certificate and click on view on top of the table. Look at the Common Name (CN) if it lists *.domain.com or domain.com. If second variant is set I would expect that at least one Subject Alternative names below is set which could be DNS:*.domain.com.
You could also simply open the guest portal with your browser and check the same if accessible from the network you access.
Otherwise go to Work Centers > Guest Access > Portal & Components > select the appropriate portal and open the Portal test URL and verify with your browser again.
I would say you can update if you can "live" with the workaround that you might have to apply if the full chain is not provided by ISE at it is the case on our deployment. To verify if the full chain is provided use the openssl command mentioned earlier at this thread.
Hope this helps :)