Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3171
Views
5
Helpful
6
Replies

ISE guest portal cert

Go to solution
Qingguo Zhang
Cisco Employee
Cisco Employee

‎05-24-2019 08:25 AM

Hi experts

 

My customer have purchased ISE certificate (wildcard) from well-known public CA ,  the cert is not signed by root CA but by intermediate CA. 

 

After installing cert (both ISE cert and intermediate cert)  on ISE.    some client/browser still get warning (cert not trusted ,  confirm new cert has been installed) , some client/browsers not. 

 

My question is if ISE will carry intermediate certificate for client validation ?   

does browser validate full cert chain for ISE ?

 

It could be recovered by installed intermediate cert on guest client .  but it may not be ideal solution for customer. 

 

thanks

Qingguo

2 people had this problem
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎05-29-2019 02:46 PM

Hi @Qingguo Zhang 

 

Was this experienced on Firefox browser? If so then there might be a reason - Firefox has its own cert store and it does not use the Trust Store of your operating system.  All other browsers use the cert store of the OS (IE, Edge, Chrome, Safari etc).

It is also my understanding that the client can request the entire CA cert chain from the web server during TLS establishment, hence why, it's important to install the entire cert chain in ISE's Trusted Certificates.  If clients don't make this request then there is very little else you can do, other than to install the missing certs in clients.  But that is not pretty.  Have a look whether that "well known CA" has had some of its certs removed from popular browsers or operating systems - that happens from time to time when the reputation of a CA becomes questionable.

View solution in original post

Go to solution
Arne Bier
VIP
VIP
In response to Kazkommertsbank

‎06-24-2019 04:20 PM

If there is a load balancer in between the client and the PSN, then it could be that the load balancer is performing SSL bridging (F5 terminology) - and this means that the same cert lives on the load balancer.  Check that out - I have seen this happen once before and it can be quite frustrating.  if SSL bridging is used then of course the solution is to update the certs in the load balancer(s) in the path.

View solution in original post

0 Helpful

Go to solution
Kazkommertsbank
Level 1
Level 1
In response to Jason Kunst

‎06-26-2019 08:15 PM

Thanks, I also think so. We do not have any load balancer in front of ISE, so it is a bug. 

I will try to buy a service contract and upgrade to latest version as soon as possible. If inform you, if the problem will be solved.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎05-29-2019 02:46 PM

Hi @Qingguo Zhang 

 

Was this experienced on Firefox browser? If so then there might be a reason - Firefox has its own cert store and it does not use the Trust Store of your operating system.  All other browsers use the cert store of the OS (IE, Edge, Chrome, Safari etc).

It is also my understanding that the client can request the entire CA cert chain from the web server during TLS establishment, hence why, it's important to install the entire cert chain in ISE's Trusted Certificates.  If clients don't make this request then there is very little else you can do, other than to install the missing certs in clients.  But that is not pretty.  Have a look whether that "well known CA" has had some of its certs removed from popular browsers or operating systems - that happens from time to time when the reputation of a CA becomes questionable.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-30-2019 09:57 AM

PLease also work through the TAC on this. You didn't mention the cert. WE have a cert from SSL.com in our demos and labs and there are problems with cross signing. We had to get a different package from the vendor for it to work correctly on all clients.
0 Helpful

Go to solution
Kazkommertsbank
Level 1
Level 1
In response to Jason Kunst

‎06-23-2019 10:56 PM

Does anyone know solution of this problem? I have this problem too. I changed expired cert and fully removed old cert from ISE.

But all clients still see old cert, some of them do not able to login at all due to expired cert. I do not know there old cert can be stored.

If I check "  Portal test URL" under Guest Portal menu, I see new cert. My ISE version is 2.0.1.130

Unfortunately, I do not have now service contract to open TAC.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Kazkommertsbank

‎06-24-2019 04:20 PM

If there is a load balancer in between the client and the PSN, then it could be that the load balancer is performing SSL bridging (F5 terminology) - and this means that the same cert lives on the load balancer.  Check that out - I have seen this happen once before and it can be quite frustrating.  if SSL bridging is used then of course the solution is to update the certs in the load balancer(s) in the path.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Kazkommertsbank

‎06-26-2019 08:48 AM

you're also running old version of ISE, perhaps there was a bug where it wasn't removed. You should be on at least 2.2 with latest patch and thinking about moving to 2.4 for long term or even 2.6

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-740738.html
0 Helpful

Go to solution
Kazkommertsbank
Level 1
Level 1
In response to Jason Kunst

‎06-26-2019 08:15 PM

Thanks, I also think so. We do not have any load balancer in front of ISE, so it is a bug. 

I will try to buy a service contract and upgrade to latest version as soon as possible. If inform you, if the problem will be solved.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents