This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We have deployed fqdn based Guest and sponsor guest portal on Cisco ISE 2.4 and when we try to access any of the portal, we are getting certificate error, although portal have its own public CA signed certificates.
After investigation we found that whenever user try to connect guest portal for authentication or sponsor portal for creating guest id, ISE is first delivering it's admin certificate, which is self signed and due to which user is facing certificate issue.
How to recover from this situation?
Couple of things you can do
1. Go to Administration > Certificates > System certificates and use the right certificate. You can edit the certficate and select the correct certificate and tag in the PSN. By default it uses "Default certificate portal group tag".
2. Per portal you can change the setting from Work Center > Guest > Portals and Components > Click on the portal and go to the portal settings > Certificate Group Tags.
Thanks for the reply.
What I understood from below mentioned link is ISE secures portal certificate with it's admin certificate.
But as we have self-signed certificate for ISE admin service, users are facing certificate error.
Can we replace the ISE self-signed certificate with CA signed certificate? If yes, do we know how to replace the same in HA environment, as ISE self-signed cert is also used for HA trust.
Also we are planning to integrate ISE with Intune (MDM). This require ISE cert to be imported in Intune as trusted cert. Will the same CA signed admin cert, we can use for ISE and Intune integration?
The document you refer to was illustrating an example where the Admin portal and the Guest portal were using the same cert. The author of that article was trying to show how NOT to do it. Because one would/should never use anything other than a publicly signed certificate for a Guest Portal. Visitors of a Guest Portal should never be confronted with a browser cert warning.
The issue that you are seeing with your portal is not normal. The Admin cert should have nothing to do with the Guest Portal if the correct Certificate Group Tag is assigned to the portal in question. Self-signed (or internal PKI signed certs for a Sponsor Portal is quite normal).
Here's my 2c advice: Try this. Go to the Portal in question and expand the page where you see the Certificate Group Tag. Even if it's showing the expected value, just try this: toggle the value to another Group Tag (e.g. the default Group Tag). Click Save. Then toggle it back to the correct/expected Group Tag. Click Save. ISE might pop up a notice saying that the cert is not found on PSN x/y/z - that might be a hint too.
And also make sure that the group tag relates to the correct System Certificate. Is the certificate present on all of the PSN's on which you are running the portal? Don't assume that it is. I had a case today where the public CA cert was missing from a PSN. I had to install it (it was a VM rebuild - perhaps an odd situation - but check the basics anyway)
If all else fails - TAC case. But try the toggle maneuver.
For guest users, i investigated and found "DLG_FLAGS_INVALID_CA" error. It seems my cert chain is not working as expected. But i can see proper cert chain in ISE.
While you're checking the CA cert chain for the portal cert, check that the entire CA cert chain has the following settings enabled
Yes toggled the cert as well as completely deleted the cert chain and imported again.
Ok, will raise TAC case.
Thanks for your help.