Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1713
Views
0
Helpful
7
Replies

Cisco ISE 2.2 guest certificate untrusted

Go to solution
BrianPersaud
Spotlight
Spotlight

‎06-17-2019 06:03 AM

Hi I am running ISE 2.2 .  We have a single ISE node setup with an FQDN ending with .local instead of .com.

 

The problem is that when users try to access the guest portal. It prompts them and states that the certificate is untrusted since it is .local domain.

 

We do have a wildcard public cert.  Is there any workaround to use the public cert instead that will not break the current ISE deployment?  

 

Thanks

 

Brian

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to BrianPersaud

‎06-17-2019 07:55 AM

Like this article you’ll need to make sure that DNS is resolving to the correct name of the cert
https://community.cisco.com/t5/identity-services-engine-ise/guest-portal-certificate-conundrum/m-p/3872650#M27660

You’ll need to reconfigure DNS appropriately

View solution in original post

0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Jason Kunst

‎06-17-2019 10:09 AM

When I uploaded the new wildcard cert under certificate management, I created a new usage item for the portal just for this cert.  

I had to  guest portal to use the new cert under certificate group tag

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-17-2019 06:38 AM

You need a well known public certificate like one from SSL, godaddy, verisign etc. Otherwise the user device/browser won’t trust it

Here is more information
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Jason Kunst

‎06-17-2019 07:21 AM

Thanks. good article.  I do have the public godaddy wildcard cert and a DNS entry pointing to the .com  However the users gets redirected to the .local DNS and getting prompted to trust the cert.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to BrianPersaud

‎06-17-2019 07:55 AM

Like this article you’ll need to make sure that DNS is resolving to the correct name of the cert
https://community.cisco.com/t5/identity-services-engine-ise/guest-portal-certificate-conundrum/m-p/3872650#M27660

You’ll need to reconfigure DNS appropriately
0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Jason Kunst

‎06-17-2019 08:00 AM

It's working now.  I had to update the profile setting to use the wildcard cert instead of the default profile cert.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to BrianPersaud

‎06-17-2019 08:37 AM

For the device? That’s manual effort. That doesn’t make sense. Are all your guests going to do that?
0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Jason Kunst

‎06-17-2019 10:09 AM

When I uploaded the new wildcard cert under certificate management, I created a new usage item for the portal just for this cert.  

I had to  guest portal to use the new cert under certificate group tag

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to BrianPersaud

‎06-17-2019 10:58 AM

Ok thanks I was confused by what profile meant! Thought something to do with the endpoints

You’re talking about the portal tag
0 Helpful
Customers Also Viewed These Support Documents