Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2105
Views
10
Helpful
2
Replies

ISE 2.0 Cert Chain Android

Go to solution
MattD2010
Level 1
Level 1

‎01-15-2019 05:29 PM - edited ‎03-11-2019 01:53 AM

I recently updated a couple certs on our ISE server. I applied the same cert to the default portal policy as well as EAP Authentication. We went from an OV cert to an EV cert which required an intermediate cert to be installed to the ISE server. I am not having any problems with anything except the Guest Portal on Android.

 

What is happening is the Certificate chain is not complete on the android devices. All laptops are listing it as valid cert as they are listing the root and intermediate certs. I can manually install the intermediate cert on my android devices and have it show as valid, however that should not be needed as it is installed on the ISE server.

 

On top of that problem, we are recieving the portal redirect page (connectivitycheck.gstatic.com) and no portal. The only way I have been able to get around this is by clicking "connect as is" and open chrome; I then navigate to "connectivitycheck.gstatic.com". Then I am redirected to the correct Guest Portal.

 

Any help is appreciated

Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-15-2019 09:06 PM

I believe your issue could possibly stem from the certificate issue you are facing. Does the redirect work after you manually install the intermediate certificate on the device? If so then I will point you to this known issue.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj04703/

Now as for the certificate issue you have. You are seeing a legitimate invalid certificate warning if the intermediate certificate is missing from Android. Having the root and intermediate installed on the ISE server only allows the ISE deployment to trust that certificate. The trust store on the device, in this case Android, has to have the complete certificate chain installed to trust the issuer, both root and any intermediates doing the signing.

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-15-2019 09:06 PM

I believe your issue could possibly stem from the certificate issue you are facing. Does the redirect work after you manually install the intermediate certificate on the device? If so then I will point you to this known issue.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj04703/

Now as for the certificate issue you have. You are seeing a legitimate invalid certificate warning if the intermediate certificate is missing from Android. Having the root and intermediate installed on the ISE server only allows the ISE deployment to trust that certificate. The trust store on the device, in this case Android, has to have the complete certificate chain installed to trust the issuer, both root and any intermediates doing the signing.

Go to solution
Ditlev Weinreich
Level 1
Level 1

‎05-29-2019 12:17 AM

Hi Matt

 

We're experiencing the exact same problem, though not limited to Android, but all devices that uses Google Chrome. The workaround, until we have found a prober solution, is to use other browsers than Google Chrome.

 

Best regards

 

Ditlev

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents