Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
10
Helpful
13
Replies

DigiCert with Guest Portal - Not Trusted?

Go to solution
Matthew Martin
Contributor
Contributor

‎11-23-2022 09:37 AM

Hello All,

ISE v2.7

I just uploaded a new wildcard DigiCert certificate to ISE with the Role of Guest Portal. I uploaded the new wildcard cert + the private key that my manager gave me. I checked the Allow wildcard certs checkbox and everything appeared to update just fine.

So I then took my Android cell and connected to our Guest Wi-Fi. When I got redirected to the login page, I got the message: "The network you're trying to join has security issues."

When I click View Certificate in the browser window on my cell, it shows the portal login url, and says "This certificate isn't from a trusted authority". It shows Issued to: CN: *.mycompany.com and Issued by: DigiCertTLS RSA SHA@%^ 2020 CA1.

Why wouldn't DigiCert be considered a Trusted Authority? I'm confused...

Thanks in Advance,
Matt

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
Engager
Engager
In response to Matthew Martin

‎11-23-2022 12:36 PM

In that case, most likely you are hitting CSCvu84184 which is solved in v2.7 patch 5. I would recommend to apply latest patch, and then to repeat testing.

Kind regards,

Milos

View solution in original post

13 Replies 13

Go to solution
balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

‎11-23-2022 09:47 AM - edited ‎11-23-2022 09:47 AM

how is your URL redirect FQDN

is this example : guestportal.mycompany.com ? or IP ?

do you have DNS entry guestportal.mycompany.com

 

Note : how about try other device ..part of testing ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Matthew Martin
Contributor
Contributor
In response to balaji.bandi

‎11-23-2022 10:00 AM

Thanks for the reply.

We have it setup to use Hostname, i.e.   ise-location1.mycompany.com

MatthewMartin_0-1669226342309.png

 

0 Helpful

Go to solution
Milos_Jovanovic
Engager
Engager

‎11-23-2022 10:55 AM

Hi Mathew,

I assume you have installed Root and Intermediate CA certificates under Trusted Certificates?

Which version exactly are you running? If it is v2.7 under patch 5, you might be hitting CSCvu84184.

Kind regards,

Milos

0 Helpful

Go to solution
Matthew Martin
Contributor
Contributor
In response to Milos_Jovanovic

‎11-23-2022 11:02 AM

So the Cert from DigiCert came with the Wildcard cert and a Root Cert. When I looked at the Root cert it appears to be the same as the existing DigiCert Root Cert that's already uploaded to ISE...

If I try to upload the Root cert that I received with the new wildcard cert, would it give me an error/warning if that exact same cert already exists?

0 Helpful

Go to solution
ammahend
VIP Engager VIP Engager
VIP Engager
In response to Matthew Martin

‎11-23-2022 11:16 AM

don’t think thats the issue here, if the root cert was not in trusted cert store, it wont even let to install wildcard cert and private key. 

review this link :

https://community.cisco.com/t5/network-access-control/ios-wireless-users-being-prompted-to-trust-public-certificate/td-p/3820678

-hope this helps-
0 Helpful

Go to solution
Matthew Martin
Contributor
Contributor
In response to ammahend

‎11-23-2022 11:40 AM

Ok gotcha, thanks for the reply. That part makes sense...

From the link, I know they're specifically talking about iOS and I'm trying on an Android. But, sounds like it could be the same issue... Since I do not get the message on a Windows PC, should I assume this is just something with iOS and Android devices, and there's not really a "fix" per-say?

I know it also mentioned something about the Cert having a CRL list. Not really familiar with what that is. Is there a way to check if our Cert has a Certificate Revocation List?

0 Helpful

Go to solution
ammahend
VIP Engager VIP Engager
VIP Engager
In response to Matthew Martin

‎11-23-2022 12:16 PM - edited ‎11-23-2022 12:20 PM

open the public cert, details, you would see crl distribution list field. 

it may be the bug mentioned by @Milos_Jovanovic 

on a separate note i would think either peap or cwa, the crl issue will apply in both cases since the client need to validate ise cert in both cases, is that not right ? 

when you accept certificate once, and delete mac and get redirected again, does it prompt the cert error again ? 

-hope this helps-
0 Helpful

Go to solution
Milos_Jovanovic
Engager
Engager

‎11-23-2022 12:00 PM

If you try to upload already existing cert, yes, it would warn you that there is a cert with same private/public key already existing.

I don't think it is the issue that @ammahend mentioned, because over there, EAP is in use, while you are using CWA with Guest portal, so different principles are in use.

What is your exact ISE version? As I mentioned, there is a known bug in which ISE is not sending entire CA chain with certificate with Guest portals.

Kind regards,

Milos

0 Helpful

Go to solution
Matthew Martin
Contributor
Contributor
In response to Milos_Jovanovic

‎11-23-2022 12:02 PM

We are running:

Version: 2.7.0.356
Patch Information: 3
0 Helpful

Go to solution
Milos_Jovanovic
Engager
Engager
In response to Matthew Martin

‎11-23-2022 12:36 PM

In that case, most likely you are hitting CSCvu84184 which is solved in v2.7 patch 5. I would recommend to apply latest patch, and then to repeat testing.

Kind regards,

Milos

Go to solution
Matthew Martin
Contributor
Contributor
In response to Milos_Jovanovic

‎11-28-2022 08:18 AM

Thanks for the reply Milos.

I'm pretty sure the answer is yes. But, when installing patches, are they cumulative, i.e. would I just need the newest patch?