Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1871
Views
0
Helpful
4
Replies

Certificate is not trusted when attempting to connect to Guest Portal hosted on Cisco ISE

Adrian Bow
Level 1
Level 1

‎07-14-2015 06:14 PM - edited ‎03-10-2019 10:54 PM

Hi all,

I have an issue where clients use their Android device to associate to the Guest WLAN, when they open up their browser and type in a secure website (any secure website with HTTPS), they get a "site's security certificate is not trusted". Only when they click on proceed, they will be redirected to the Guest Portal on Cisco ISE. I think why this is happening is because when a client attempts to connect to https://www.google.com, they are expecting a google.com certificate but instead receive a certificate from the ISE node due to the URL redirection.

There are no issues when the user types into their browser a non-secure website (HTTP) which will redirect to the Guest Portal on Cisco ISE successfully.

The deployment uses Cisco WLC 5508s with version 8.0.100 and a SNS-3415 running ISE 4.0. The Guest Portal is hosted on ISE.

Does anyone know whether there is a resolution for https URL redirect to Guest Portals on Cisco ISE?

 

Regards,

Adrian  

Labels:
0 Helpful
4 Replies 4

jan.nielsen
Level 7
Level 7

‎07-15-2015 01:35 AM

This is just how SSL works, has nothing to do with ISE or the WLC. As the certificate presented from the ISE server, does not contain the name of the site you are trying to reach, it will always give you a cert error. Solution : you shouldn't use an https url to get redirected.

0 Helpful

Adrian Bow
Level 1
Level 1
In response to jan.nielsen

‎07-15-2015 02:28 AM

With more sites nowadays are becoming secure, the first nature a guest user would do when they are out onsite is type in www.google.com in their browser, which is the first site that comes to mind for the majority of users, and expect to be re-directed to the Guest Portal on ISE. It would be an annoyance for a support team to tell the user to get to the Guest Portal by either clicking on "proceed" or use a HTTP website.

I'm sure Cisco is aware of this hence why in their WLC v8.0 code they've introduced the https web redirection command. I hear that version 8.0.110.0 fixes some bugs related to the https web redirection but haven't seen anyone yell out that it resolves this issue.

 

 

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Adrian Bow

‎07-15-2015 04:33 AM

I realize it's a problem, but what i'm sayin is that there is no way to fix this properly. Enabling ssl redirect in the wlc won't make this work, as it would be breaking the way ssl works, if you were able to do this. I would suggest opening access to www.google.com so they don't get redirected when they put in https://www.google.com, then when they use google, and click some http link they will be redirected without cert errors.

0 Helpful

Adrian Bow
Level 1
Level 1
In response to jan.nielsen

‎07-15-2015 04:41 AM

Thanks Jan for your input into this. I will try what you just suggested.

Cheers!

0 Helpful
Customers Also Viewed These Support Documents