Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1277
Views
0
Helpful
7
Replies

Group tag doesn't work for portal FQDN

Go to solution
masyamad
Cisco Employee
Cisco Employee

‎08-25-2018 11:35 PM - edited ‎08-26-2018 09:10 AM

Hi team,

 

I installed 2 separated certificates, 1 for portals with tag "portals" and another is for other usages.

 

When I accessed portal page with original URL like https://<ise ip or ADE-OS hostname>:8443/xxxxx...., portal certificate is used as expected. But when I accessed same portal with configured FQDN like https://mdsevices01.cert-test.com, admin certificate is used at the URL access once, then portal certificates will be used after redirecting the page to <ise ip>:8443. Is it expected behavior as design? 

 

* FQDN configuration is as follows.

無題.png

 

My customer would like not to show the admin cert to Mydevices portal operator or sponsors.

How can we specify the certificate for configured FQDN like mydevices01.cert-test.com?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to masyamad

‎08-27-2018 05:39 AM

#2 will never work unless you have the admin cert and portal cert the same. Honestly if you are planning your deployment to use FQDNs for portals you really should have them the same especially with ISE supporting HSTS as I mentioned in my first reponse.

#3 is because you are using a browser that support HSTS or your browser is remembering you typing in https://. Most likely you are using a browser that supports HSTS. I don't think IE supports this yet which is why I usually test the FQDN redirect there if my admin/guest cert are different.




View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to masyamad

‎08-28-2018 05:24 AM

Ahh I just Googled IE HSTS and see it supports it. I will have to check why mine doesn’t do it. So you have three choices:

Add mydevices.company.com as SAN to admin cert to allow for the brief FQDN redirect.

Combine admin and portal cert.

Don’t use FQDN.


View solution in original post

0 Helpful
7 Replies 7

Go to solution
paul
Level 10
Level 10

‎08-26-2018 09:32 PM - edited ‎08-26-2018 09:36 PM

This is normal when you run different certs for admin and portal. ISE can’t issue a redirect without negotiating SSL.  So you are going to 443 which is the admin cert.  use HTTP instead of HTTPS in the first request and redirections will work.  Note that Chrome will automatically go to SSL even if you type in http://. Chrome supports HSTS as does ISE.

0 Helpful

Go to solution
masyamad
Cisco Employee
Cisco Employee
In response to paul

‎08-27-2018 12:24 AM

Thanks for the information. It seemed work well, but I noticed It caused almost same issue.
After the http to https redirect, admin cert is exposed to BYOD user.

My results are as follows.

1) Access https://mydevices01.cert-test.com:8443/xxxx/.... directly.
We can see my devices portal without any problems.

2) Access https://mydevices01.cert-test.com
We can see my devices portal after redirection but faced admin certificate at the redirection.

3) Access http://mydevices01.cert-test.com.
It redirects web browser to https://mydevices01.cert-test.com, then redirect to https://mydevice01.cert-test.com:8443/xxxxx/....
We can see my devices portal after 2nd redirection, but faced admin certificate at the 1st redirection.

When the browser accesses alias-FQDN like <https://mydevices01.cert-test.com>, the hostname "mydevices01" is not for ISE general-use like "ISE01" configured on ADE-OS but specific name for a certain service. In separated certificate scenario, Admin cert doesn't have "mydevices01" in CN/SAN field and portal cert actually has. I hope there is a way to configure to use portal cert for accessing FQDN configured on portal page setting.
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to masyamad

‎08-27-2018 05:39 AM

#2 will never work unless you have the admin cert and portal cert the same. Honestly if you are planning your deployment to use FQDNs for portals you really should have them the same especially with ISE supporting HSTS as I mentioned in my first reponse.

#3 is because you are using a browser that support HSTS or your browser is remembering you typing in https://. Most likely you are using a browser that supports HSTS. I don't think IE supports this yet which is why I usually test the FQDN redirect there if my admin/guest cert are different.




0 Helpful

Go to solution
masyamad
Cisco Employee
Cisco Employee
In response to paul

‎08-28-2018 12:29 AM

Thanks Paul,

On my previous reply, I didn't fully understand HSTS but now I think I understand. OK. I'll try IE http access on my testbed.
0 Helpful

Go to solution
masyamad
Cisco Employee
Cisco Employee
In response to masyamad

‎08-28-2018 01:07 AM

I tested IE11 but the browser was redirected to "https://mydevices01.cert-test.com/redir" and admin cert is used for the https access.
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to masyamad

‎08-28-2018 05:24 AM

Ahh I just Googled IE HSTS and see it supports it. I will have to check why mine doesn’t do it. So you have three choices:

Add mydevices.company.com as SAN to admin cert to allow for the brief FQDN redirect.

Combine admin and portal cert.

Don’t use FQDN.


0 Helpful

Go to solution
masyamad
Cisco Employee
Cisco Employee
In response to paul

‎08-30-2018 04:33 PM

I see, thanks for the clarification!
0 Helpful
Customers Also Viewed These Support Documents