cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3799
Views
0
Helpful
8
Replies

Cisco ISE 2.4 Portal certificate Error

Hi

We have deployed fqdn based Guest and sponsor guest portal on Cisco ISE 2.4 and when we try to access any of the portal, we are getting certificate error, although portal have its own public CA signed certificates.

 

After investigation we found that whenever user try to connect guest portal for authentication or sponsor portal for creating guest id, ISE is first delivering it's admin certificate, which is self signed and due to which user is facing certificate issue.

 

How to recover from this situation?

 

Regards

Ashish Shah

8 Replies 8

kthiruve
Cisco Employee
Cisco Employee

Couple of things you can do

 

1. Go to Administration > Certificates > System certificates and use the right certificate. You can edit the certficate and select the correct certificate and tag in the PSN. By default it uses "Default certificate portal group tag".

 

2. Per portal you can change the setting from Work Center > Guest > Portals and Components > Click on the portal and go to the portal settings > Certificate Group Tags.

 

-Krishnan

Hi

 

Thanks for the reply.

 

What I understood from below mentioned link is ISE secures portal certificate with it's admin certificate. 

https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897

 

But as we have self-signed certificate for ISE admin service, users are facing certificate error.

 

Can we replace the ISE self-signed certificate with CA signed certificate? If yes, do we know how to replace the same in HA environment, as ISE self-signed cert is also used for HA trust.

 

Also we are planning to integrate ISE with Intune (MDM). This require ISE cert to be imported in Intune as trusted cert. Will the same CA signed admin cert, we can use for ISE and Intune integration?

 

Regards

Ashish Shah

Hi rashish135@yahoo.co.in 

 

The document you refer to was illustrating an example where the Admin portal and the Guest portal were using the same cert. The author of that article was trying to show how NOT to do it. Because one would/should never use anything other than a publicly signed certificate for a Guest Portal.  Visitors of a Guest Portal should never be confronted with a browser cert warning.  

The issue that you are seeing with your portal is not normal. The Admin cert should have nothing to do with the Guest Portal if the correct Certificate Group Tag is assigned to the portal in question.  Self-signed (or internal PKI signed certs for a Sponsor Portal is quite normal).

 

Here's my 2c advice:  Try this.  Go to the Portal in question and expand the page where you see the Certificate Group Tag.  Even if it's showing the expected value, just try this: toggle the value to another Group Tag (e.g. the default Group Tag).  Click Save.  Then toggle it back to the correct/expected Group Tag. Click Save.  ISE might pop up a notice saying that the cert is not found on PSN x/y/z - that might be a hint too.

And also make sure that the group tag relates to the correct System Certificate. Is the certificate present on all of the PSN's on which you are running the portal?  Don't assume that it is.  I had a case today where the public CA cert was missing from a PSN. I had to install it (it was a VM rebuild - perhaps an odd situation - but check the basics anyway)

 

If all else fails  - TAC case.  But try the toggle maneuver.

 

regards

Arne 

Hi

 

For guest users, i investigated and found "DLG_FLAGS_INVALID_CA" error. It seems my cert chain is not working as expected. But i can see proper cert chain in ISE.

 

Regards

Ashish Shah

Hi rashish135@yahoo.co.in 

 

While you're checking the CA cert chain for the portal cert, check that the entire CA cert chain has the following settings enabled

 

ise-trust.PNG

Configuration is there but still no luck. Same error.

 

Regards

Ashish Shah

Have you tried toggling the Portal cert ?

 

I think you ought to open a TAC case.

Yes toggled the cert as well as completely deleted the cert chain and imported again.

 

Ok, will raise TAC case.

 

Thanks for your help. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: