Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4176
Views
5
Helpful
6
Replies

Sponsor portal redirect

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎10-04-2018 03:55 AM

Hi all,

 

When sponsors try to access the sponsor portal via FQDN they are unable to access the site. It works if the use the full url https://helpmyguest.xxx.com:8550/sponsorportal/PortalSetup.action?portal=5b873480-ba69-11e8-ab53-1e43651b66b5

 

If I test the portal form within ISE the link fails, and I receive the certificate used on the admin page?

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Michael Bartholomæussen

‎10-04-2018 04:41 AM

Wildcard is fine.  I haven't read the guides in years, but I doubt this issue is called out.  The issue you are seeing is really an unintended side effect of ISE supporting HSTS.  If ISE didn't support HSTS then you could tell your sponsor to go to http://sponsor.mycompany.com and everything would work perfectly.

View solution in original post

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to paul

‎10-05-2018 01:39 AM

Updated my certificate to include the SAN for sponsor, now it works. Again, thanks for helping Paul :)

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paul
Level 10
Level 10

‎10-04-2018 04:11 AM

That is normal.  If your sponsor portal certificate is not the same as the admin certificate then you are going to have issues with the sponsor portal FQDN.  If the users go to http://<sponsor FQDN> it will work, but problem is ISE support HSTS and if the browser support HSTS even if they type in http:// it will get changed to https://.  The certificate running on port 443 on the ISE node is the admin certificate.  So you need to connect to admin side to get the URL redirect to the full sponsor URL on 8550.  

 

Basically if you are trying to use sponsor FQDN you should be using the same certificate for the admin and sponsor portal cert then everything works fine.

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to paul

‎10-04-2018 04:23 AM

Then the solution is to add the SAN of the sponsor portal to the admin certificate?
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Michael Bartholomæussen

‎10-04-2018 04:25 AM

Yep, your admin cert should have all the one-off type sites you plan to use in your ISE install.  I usually do something like:

 

FQDN of all my ISE nodes

sponsor.mycompany.com

ise-bypass.mycompany.com (for the MyDevices portal I use to allow devices onto the network)

mydevices.mycompany.com (to allow for BYOD use cases)

 

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to paul

‎10-04-2018 04:30 AM

Did they put that in the config guide - really doesn't ring a bell!

I'll reconfigure my certificate to include the SANs. Would it be ok to use a *, although it's not security best practise?
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Michael Bartholomæussen

‎10-04-2018 04:41 AM

Wildcard is fine.  I haven't read the guides in years, but I doubt this issue is called out.  The issue you are seeing is really an unintended side effect of ISE supporting HSTS.  If ISE didn't support HSTS then you could tell your sponsor to go to http://sponsor.mycompany.com and everything would work perfectly.

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to paul

‎10-05-2018 01:39 AM

Updated my certificate to include the SAN for sponsor, now it works. Again, thanks for helping Paul :)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents