cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
10
Helpful
13
Replies

DigiCert with Guest Portal - Not Trusted?

Matthew Martin
Contributor
Contributor

Hello All,

ISE v2.7

I just uploaded a new wildcard DigiCert certificate to ISE with the Role of Guest Portal. I uploaded the new wildcard cert + the private key that my manager gave me. I checked the Allow wildcard certs checkbox and everything appeared to update just fine.

So I then took my Android cell and connected to our Guest Wi-Fi. When I got redirected to the login page, I got the message: "The network you're trying to join has security issues."

When I click View Certificate in the browser window on my cell, it shows the portal login url, and says "This certificate isn't from a trusted authority". It shows Issued to: CN: *.mycompany.com and Issued by: DigiCertTLS RSA SHA@%^ 2020 CA1.

Why wouldn't DigiCert be considered a Trusted Authority? I'm confused...

Thanks in Advance,
Matt

1 Accepted Solution

Accepted Solutions

In that case, most likely you are hitting CSCvu84184 which is solved in v2.7 patch 5. I would recommend to apply latest patch, and then to repeat testing.

Kind regards,

Milos

View solution in original post

13 Replies 13

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

how is your URL redirect FQDN

is this example : guestportal.mycompany.com ? or IP ?

do you have DNS entry guestportal.mycompany.com

 

Note : how about try other device ..part of testing ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the reply.

We have it setup to use Hostname, i.e.   ise-location1.mycompany.com

MatthewMartin_0-1669226342309.png

 

Milos_Jovanovic
VIP Engager VIP Engager
VIP Engager

Hi Mathew,

I assume you have installed Root and Intermediate CA certificates under Trusted Certificates?

Which version exactly are you running? If it is v2.7 under patch 5, you might be hitting CSCvu84184.

Kind regards,

Milos

So the Cert from DigiCert came with the Wildcard cert and a Root Cert. When I looked at the Root cert it appears to be the same as the existing DigiCert Root Cert that's already uploaded to ISE...

If I try to upload the Root cert that I received with the new wildcard cert, would it give me an error/warning if that exact same cert already exists?

don’t think thats the issue here, if the root cert was not in trusted cert store, it wont even let to install wildcard cert and private key. 

review this link :

https://community.cisco.com/t5/network-access-control/ios-wireless-users-being-prompted-to-trust-public-certificate/td-p/3820678

-hope this helps-

Ok gotcha, thanks for the reply. That part makes sense...

From the link, I know they're specifically talking about iOS and I'm trying on an Android. But, sounds like it could be the same issue... Since I do not get the message on a Windows PC, should I assume this is just something with iOS and Android devices, and there's not really a "fix" per-say?

I know it also mentioned something about the Cert having a CRL list. Not really familiar with what that is. Is there a way to check if our Cert has a Certificate Revocation List?

open the public cert, details, you would see crl distribution list field. 

it may be the bug mentioned by @Milos_Jovanovic 

on a separate note i would think either peap or cwa, the crl issue will apply in both cases since the client need to validate ise cert in both cases, is that not right ? 

when you accept certificate once, and delete mac and get redirected again, does it prompt the cert error again ? 

-hope this helps-

Milos_Jovanovic
VIP Engager VIP Engager
VIP Engager

If you try to upload already existing cert, yes, it would warn you that there is a cert with same private/public key already existing.

I don't think it is the issue that @ammahend mentioned, because over there, EAP is in use, while you are using CWA with Guest portal, so different principles are in use.

What is your exact ISE version? As I mentioned, there is a known bug in which ISE is not sending entire CA chain with certificate with Guest portals.

Kind regards,

Milos

We are running:

Version: 2.7.0.356
Patch Information: 3

In that case, most likely you are hitting CSCvu84184 which is solved in v2.7 patch 5. I would recommend to apply latest patch, and then to repeat testing.

Kind regards,

Milos

Thanks for the reply Milos.

I'm pretty sure the answer is yes. But, when installing patches, are they cumulative, i.e. would I just need the newest patch?

 

  - As already noted go for the latest in the 2.7 train because patches are cumulative avoid p5 because of : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa00729

 M.

Milos_Jovanovic
VIP Engager VIP Engager
VIP Engager

Yes, patches are cumulative, and you only need to install latest one.

Kind regards,

Milos

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers