cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

381
Views
10
Helpful
12
Replies
Cisco Employee

ISE Guest Portal Certificate Trust in Endpoint

Hi Experts,

I are deploying guest and BYOD solution for customer and customer has given me certificate for portal which is signed by sub CA.

Now sub CA is not available in endpoints, however, root CA cert is available in all the endpoints.

when guest and BYOD user connects to portal they get certificate error because ISE sends certificate of portal only.

 

Thus in order to rid off certificate error, can ISE be configured in such a way that ISE will send portal certificate with root or sub CA or CA chain?

 

Regards,

Jay

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advocate

Re: ISE Guest Portal Certificate Trust in Endpoint

Hi Jay

 

have you already installed the entire CA cert chain in your ISE nodes?  I thought that ISE always returns the entire CA cert chain if the client requests it. This is the part I am vague on. I think if the client doesn’t have the entire chain then it’s up to the client to request this from the server. 

 

Beginner

Re: ISE Guest Portal Certificate Trust in Endpoint

I had this issue after upgrading from 2.4 patch 6 to patch 8.  Tac was able to direct me to CSCvp75207.  I added trust for certificate based admin authentication to the root and intermediate ca that signed the guest portal cert, rebooted the server (standalone lab) and my portals started sending the full chain.

12 REPLIES 12
VIP Advocate

Re: ISE Guest Portal Certificate Trust in Endpoint

Hi Jay

 

have you already installed the entire CA cert chain in your ISE nodes?  I thought that ISE always returns the entire CA cert chain if the client requests it. This is the part I am vague on. I think if the client doesn’t have the entire chain then it’s up to the client to request this from the server. 

 

Cisco Employee

Re: ISE Guest Portal Certificate Trust in Endpoint

Yes, i did import entire CA chain in ISE hwoever when user connects in Guest portal they get error cert can not be validated

Beginner

Re: ISE Guest Portal Certificate Trust in Endpoint

Hi,

 

I have the same/similar issue with a public guest portal. Trying the workarounds described in CSCut26025 and CSCvp75207 did only solve partial for me. Because Windows and Apple Devices trust the cert , but not Android Devices. Check with openssl (i.e. .\openssl.exe s_client -showcerts -connect website.domain.name:port) shows that ISE not delivers the certificate chain anymore (in my case with two different ISE installations). The chain was fully provided/send by ISE with 2.4 Patch 6 but stopped working with Patch 8 (need to rollback, then everything worked as expected again) and also testes in Lab environment with ISE 2.6 Patch 1 (same result). Here is my discussion about that: https://community.cisco.com/t5/cisco-bug-discussions/cscut26025-doc-ise-certificate-chain-is-not-being-send-till/td-p/3879470

 

Regards

Cisco Employee

Re: ISE Guest Portal Certificate Trust in Endpoint

this issue is because of bug CSCut26025.

 

Thanks for support.

 

Regards,

Jay

VIP Advocate

Re: ISE Guest Portal Certificate Trust in Endpoint

Thanks for sharing this wonderful news. Is it fixed in any 2.4 patch? So if I am installing a CA chain I have to restart services on all affected nodes?

Cisco Employee

Re: ISE Guest Portal Certificate Trust in Endpoint

Nope, It doesn't work. I have opened SR#687020206.

 

Regards,

Jay

Beginner

Re: ISE Guest Portal Certificate Trust in Endpoint

I had this issue after upgrading from 2.4 patch 6 to patch 8.  Tac was able to direct me to CSCvp75207.  I added trust for certificate based admin authentication to the root and intermediate ca that signed the guest portal cert, rebooted the server (standalone lab) and my portals started sending the full chain.

Cisco Employee

Re: ISE Guest Portal Certificate Trust in Endpoint

This particular TAC case is actually due to CSCvp75207, as the workaround has helped.

CSCut26025 is a very old doc bug. The general workaround in restarting ISE services could have helped different underlying issues, including CSCvk65179.

Beginner

Re: ISE Guest Portal Certificate Trust in Endpoint

I had the same issue, ise 2.4 patch 8, and it seemed to be resolved by following the workaround. The issue I'm having now is that the clients keep disconnecting, only my guest client. I have opened tac cases on both sides, nobody seems to know why its happening, all they see is that the phone left the bss which is not true, I'm right underneath the AP.

 

Has anyone else seen this, I am planning to roll back to patch 6 during the weekend to see if the issue goes away.

Highlighted
Cisco Employee

Re: ISE Guest Portal Certificate Trust in Endpoint

Sounds like a totally unrelated issue to deal with certificate trust. I would suggest a new thread to discuss
Beginner

Re: ISE Guest Portal Certificate Trust in Endpoint

Hi Arne

I've heard that this should be fixed in Patch 10 which is planned to be released around September.

Patch 9 was just released yesterday, and it does not have a fix for it.

Cisco Employee

Re: ISE Guest Portal Certificate Trust in Endpoint

CSCut26025 is a doc bug and resolved already by updating ISE CCO docs.

CSCvp75207 is a tech bug and affecting ISE 2.4 Patch 8 and 9. For workaround, please check the bug info page.