Solved: Re: CPP and Admin certificate different but on same interface

gvanbon · ‎10-20-2017

Hi,

Configured the following on ISE 2.3:

1 ISE interface for CPP and Admin

CCP portal runs on TCP port 8443 with its own certificate signed by CA1

Admin portal runs on port 443 with its own certificate signed by CA2

When a CCP redirection occurs, the client first get redirected on port 443 (with the wrong certificate) and to port 8443 with the right certificate.

I would have expected that the client would directly go to the 8443 port.

Anybody seen this ?

Thanks

hslai · ‎10-20-2017

Yes, I've been seeing it during beta. This appears related to CSCve85686.

View solution in original post

hslai · ‎10-20-2017

Yes, I've been seeing it during beta. This appears related to CSCve85686.

Arne Bier · ‎10-22-2017

I have the same in ISE 2.2 - I raised a TAC case for it. They told me it was due to CSCut16630 (ancient bug).

Luckily I have an F5 load balancer that is masking this issue.

hslai · ‎10-22-2017

We have an enhancement bug -- CSCva84197, but we have not scheduled to address it yet.

gvanbon · ‎10-22-2017

Thanks all !

grabonlee · ‎10-24-2017

The ISE installation guide 2.3 states that ISE presents Admin cert for Posture and CPP, then Portal cert for 8443. So I doubt if it’s really a bug. All the installation guides from 1.2 to 2.3 state this.