I have an ISE 2.4 Patch 8 setup where I'm running 3 different captive portals which all use the same certificate. I have installed the root CA as well as both intermediates in the chain in my trusted store from AddTrust. My ssl cert that is placed for my cwa has 5 san fields which represent both ISE nodes DNS names as well as the DNS names of my web portals.
Now I've been having an issue specifically with Android clients in my environment correctly joining any of my two guest portals, they are bombarded with an SSL error that the cert is not valid, what I do is open the connection in a browser and I can see the DNS name at the top of the page I validate the cert and it's referencing the ISE box itself as if it's attempting to go against the cert I have appended to the admin login vs the portal login. For example my portal is specified as guest.domain.com:8540/[portal url] however when I view it in the browser I see the same URL but an invalid cert. If I choose to ignore the error and continue anyway, proceed to login and connect to the network, when I check the Wi-Fi connection settings for the SSID I'm attached to and click on the "manage router" field which redirects me to the FQDN of my portal I see that the certificate is valid and there is no issue.
So my question is this and if anyone has figured out the solution because I haven't found much help online thus far, why does Android not see the certificate when it first attempts to reach the portal but it does see the cert after it's already authenticated and has internet? When I'm using my iPhone to test against the portals I have no issue, no cert error or a mandatory trust that must be made to reach the captive portal. Is there something I'm missing between the Android not working vs the iPhone? Also this does work with a windows 10 machine as I also tested it in Internet Explorer to make sure it wasn't me going crazy.