Solved: CWA and Guest Certificates

Aneesh Ram · ‎02-19-2017

Hi there

I have a two node ISE cluster running ISE 2.2 (newly installed).I have got two issues I am trying to address.

First one relates to the redirect URL.

According to the ISE documentation, in guest cases, including CWA, there is an automatic redirection that is occurring to the FQDN of the ISE PSN itself, however this is not occurring in my deployment.

The redirect URL for CWA is always sent using the IP address of the ISE node instead of the FQDN.

The second issue i am trying to understand is that even if the URL did contain the FQDN instead of the IP address, then how do I make sure that the guest users are not getting a certificate error from the redirect page.

In a non ISE scenarios, where the portal is in the WLC (local webauth), a DNS name is setup in the WLC’s virtual interface (1.1.1.1). This DNS name is resolvable and a publically signed cert is used making sure that the guest users do not get an error when connecting.

However now that the ISE nodes FQDN is what the client browser gets, how do we ensure that this FQDN does not throw a certificate error.

Thanks in advance

Timothy Abbott · ‎02-20-2017

The default behavior is the IP is sent:

There is an option to tell ISE to use a FQDN if you would like:

To ensure your users don't get a certificate warning, please use a certificate signed by a public authority

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎02-20-2017

The default behavior is the IP is sent:

There is an option to tell ISE to use a FQDN if you would like:

To ensure your users don't get a certificate warning, please use a certificate signed by a public authority

Regards,

-Tim

Aneesh Ram · ‎02-20-2017

Thanks for your reply Tim,

If I statically defined node1’s FQDN in the field, what will happen when node1 has down, is there a way to configure this so the in Node1’s absence Node2 will automatically respond.

Jason Kunst · ‎02-20-2017

Yes setup an authz rule to match correct psn and return correct authz profile redirect

See this

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

Aneesh Ram · ‎02-20-2017

Thanks Jason & Alzhou.

I have read the link you provided and I can now see how a second authz rule address the PSN failover scenario.

Regarding the public certificate.

Our internal name space is “organization.net.nz”

Our external name space is “organization.co.nz”

FQDN for node1 = ISE01.organization.net.nz (172.19.189.9)

FQDN for node2 = ISE02.organization.net.nz (172.19.252.9)

Portal URL will be: guest.organization.co.nz

So are you saying that my CSR for the portal should contain

Certificate usage – Portal

SAN should contain

- DNS Name – guest.organization.co.nz

- IP – 172.19.189.9

- IP – 172.19.252.9

Regards

Aneesh Ram

Ping Zhou · ‎02-20-2017

To my understanding, yes. Please find cisco live session BRKSEC-3697 (2016, Las Vegas ) and see Page 41 for your reference.

Ping Zhou · ‎02-20-2017

You can try the guest portal certificate with PSN's FQDN and The interface IP address both in SAN field, to avoid the very warning.