cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5133
Views
10
Helpful
12
Replies

ISE Guest Portal Certificate Trust in Endpoint

jatiwari
Cisco Employee
Cisco Employee

Hi Experts,

I are deploying guest and BYOD solution for customer and customer has given me certificate for portal which is signed by sub CA.

Now sub CA is not available in endpoints, however, root CA cert is available in all the endpoints.

when guest and BYOD user connects to portal they get certificate error because ISE sends certificate of portal only.

 

Thus in order to rid off certificate error, can ISE be configured in such a way that ISE will send portal certificate with root or sub CA or CA chain?

 

Regards,

Jay

2 Accepted Solutions

Accepted Solutions

Arne Bier
VIP
VIP

Hi Jay

 

have you already installed the entire CA cert chain in your ISE nodes?  I thought that ISE always returns the entire CA cert chain if the client requests it. This is the part I am vague on. I think if the client doesn’t have the entire chain then it’s up to the client to request this from the server. 

 

View solution in original post

I had this issue after upgrading from 2.4 patch 6 to patch 8.  Tac was able to direct me to CSCvp75207.  I added trust for certificate based admin authentication to the root and intermediate ca that signed the guest portal cert, rebooted the server (standalone lab) and my portals started sending the full chain.

View solution in original post

12 Replies 12

Arne Bier
VIP
VIP

Hi Jay

 

have you already installed the entire CA cert chain in your ISE nodes?  I thought that ISE always returns the entire CA cert chain if the client requests it. This is the part I am vague on. I think if the client doesn’t have the entire chain then it’s up to the client to request this from the server. 

 

Yes, i did import entire CA chain in ISE hwoever when user connects in Guest portal they get error cert can not be validated

Hi,

 

I have the same/similar issue with a public guest portal. Trying the workarounds described in CSCut26025 and CSCvp75207 did only solve partial for me. Because Windows and Apple Devices trust the cert , but not Android Devices. Check with openssl (i.e. .\openssl.exe s_client -showcerts -connect website.domain.name:port) shows that ISE not delivers the certificate chain anymore (in my case with two different ISE installations). The chain was fully provided/send by ISE with 2.4 Patch 6 but stopped working with Patch 8 (need to rollback, then everything worked as expected again) and also testes in Lab environment with ISE 2.6 Patch 1 (same result). Here is my discussion about that: https://community.cisco.com/t5/cisco-bug-discussions/cscut26025-doc-ise-certificate-chain-is-not-being-send-till/td-p/3879470

 

Regards

jatiwari
Cisco Employee
Cisco Employee

this issue is because of bug CSCut26025.

 

Thanks for support.

 

Regards,

Jay

Thanks for sharing this wonderful news. Is it fixed in any 2.4 patch? So if I am installing a CA chain I have to restart services on all affected nodes?

Nope, It doesn't work. I have opened SR#687020206.

 

Regards,

Jay

I had this issue after upgrading from 2.4 patch 6 to patch 8.  Tac was able to direct me to CSCvp75207.  I added trust for certificate based admin authentication to the root and intermediate ca that signed the guest portal cert, rebooted the server (standalone lab) and my portals started sending the full chain.

This particular TAC case is actually due to CSCvp75207, as the workaround has helped.

CSCut26025 is a very old doc bug. The general workaround in restarting ISE services could have helped different underlying issues, including CSCvk65179.

I had the same issue, ise 2.4 patch 8, and it seemed to be resolved by following the workaround. The issue I'm having now is that the clients keep disconnecting, only my guest client. I have opened tac cases on both sides, nobody seems to know why its happening, all they see is that the phone left the bss which is not true, I'm right underneath the AP.

 

Has anyone else seen this, I am planning to roll back to patch 6 during the weekend to see if the issue goes away.

Sounds like a totally unrelated issue to deal with certificate trust. I would suggest a new thread to discuss

Hi Arne

I've heard that this should be fixed in Patch 10 which is planned to be released around September.

Patch 9 was just released yesterday, and it does not have a fix for it.

CSCut26025 is a doc bug and resolved already by updating ISE CCO docs.

CSCvp75207 is a tech bug and affecting ISE 2.4 Patch 8 and 9. For workaround, please check the bug info page.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: