cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4121
Views
15
Helpful
14
Replies

ISE 2.1 guest portal - certificate required???

N3t W0rK3r
Level 3
Level 3

Is it absolutely necessary to redirect guests to a secure site for our wifi guest portal?  Can we just avoid any client certificate issues by using a regular http url in the redirect?  We are not authenticating guests in any way, just asking them to acknowledge an AUP.

 

Thanks.

 

John

1 Accepted Solution

Accepted Solutions

What CA signed your hotspot portal cert?. I do not think you can do something because the hotspot portal is HTTPS mandatory which requires a certificate group tag.

View solution in original post

14 Replies 14

ajc
Level 7
Level 7

If you do NOT need guest authentication at all. USE Hotspot Portal instead of Guest Portal. Hotspot portal only presents the AUP page and assigns those MAC address from the guest devices into an specific Endpoint Group.

 

I am assuming that your guest subnet is totally isolated from your production environment so only accepting the AUP would be enough.

 

The certificate applies for all the Portals. This certificate can be the self-signed by ISE or the customized you uploaded to the box. So you cannot avoid it.

Thanks Abraham.

 

I am indeed using whats labelled as the Hotspot Guest Portal (default).

 

We currently have it set up to redirect the client to and AUP page on a secure public fqdn.  This works until a client doesn't recognize the root CA of our installed certificate.  To avoid these issue which we cannot control, we thought about maybe not even using a secure site for the AUP.  Is this possible?

What CA signed your hotspot portal cert?. I do not think you can do something because the hotspot portal is HTTPS mandatory which requires a certificate group tag.

The cert we are using on the portal was issued by GeoTrust RSA CA 2018.

Hi,
GeoTrust is a public CA, so should be trusted by the majority of browsers. Is the FQDN/CN of the certificate correct? is that the issue here?

As Abraham previously mentioned, I don't believe you can use the portal without a certificate.

OK thanks guys....

Then perhaps I did something wrong when I installed the new certificate.  The complaints from our guests seem to have started after I installed the new cert.

Is there something else I should have done besides just installing the new cert to the appropriate ISE PSNs?

Everything seemed to be working fine with the old cert that was installed.

 

Thanks.

 

John

I suspect you probably missed the Subject Alternative Name on the new certificate so all the FQDN names for each node in the deployment was included into that cert.

Thanks Abraham,

 

I checked the cert and the SAN has the public FQDN listed, not the FQDNs of the ISE PSNs.

 

 
Actually, looking at this more, I think the certs are installed and working correctly.  I am troubleshooting with a older Google Nexus 6 phone running Android 7.1.1.
When it first detects our guest wifi, it prompts "Sign in to Wi-Fi Network".  When I click that, it does captive portal detection check and then complains that there is something wrong with our site's security. Note that this is not done within Chrome, it is some other app with browsing capabilities.  The URL at the top of the window being referenced is our public fqdn as expected.  When I click to continue with web browser, Chrome launches our AUP page correctly and recognizes the certificate without issue. From here I accept the AUP and am able to connect to the wifi.
 
For whatever reason, that captive portal detection app does not like our site cert, and yet Chrome does.  I guess there is nothing we can do on the ISE side of things to correct this issue... would you concur?

Thanks.
 
John

Hi John,

 

I experienced a lot of issues when I was playing with the public signed certs for the Portals. I had problems with the Certificate Portal Tag. Not sure if that is related to your issue. In any case, I have some questions:

 

-How did you upload the new cert into EACH node of the deployment using the Primary PAN IMPORT button?

-Is the new cert using the same CERTIFICATE PORTAL TAG or a New one?

-Are your portals pointing to the NEW CERTIFICATE PORTAL TAG if the old one was replaced?

-Are you using the same CA authority to sign the Portal Certificate or this is a new one?

-Could you post the Trusted Certificate store showing the old certificate and the new one?

 

thanks

 

 

Hi Abraham,

 

I imported the cert from the Admin - System - Certficates - System Certificates page in the web console of ISE 2.1.  I used the import button and imported the cert onto each of 3 PSNs that may host the portal (only one PSN hosts it currently).  I did NOT install the cert on the PANs however as I didn't think it was needed, and I'm pretty sure the old cert wasn't installed there either.

 

The new cert is using the same Default Portal Certificate Group tag as the old cert did.  I have removed the old expired cert from the system by the way.  Here is what the current entry looks like on each PSN:

CertEntry.PNG

Although I don't remember for sure, I do believe this cert is from a different CA.  I should add that I have also installed the CA's intermediate and root certificates under Trusted Certificates.  The cert being used can be viewed on our website at https://www.hsnsudbury.ca 

 

A snapshot of our Trusted cert store is provided below, with our internal CA info blacked out.

TrustedStore.PNG

The old certificate was issued by GeoTrust DV SSL CA - G3 from GeoTrust Global CA

I hope this info is helpful.

 

Thanks very much for taking the time to assist.

 

John

I should also add that I was just reviewing this guide at https://communities.cisco.com/docs/DOC-68169 and I see where it says to issue a CSR from ISE in order to obatin the cert and then bind the cert to the CSR.  I did not do this.  Could this be my problem?  I didn't do this with the old cert either.

The cert that is being used on ISE is the same one used for our website referenced in my previous post.

Is this a problem do you think??

 

Thanks.

 

John

Hi John,

 

Could you please edit the certificate for Portal and Post the CN. The screenshot that you posted before is something called FRIENDLY NAME and not necessarily is the CN value. The CN of that certificate should be for example Primary PAN hostname + domain and also have all the CN for each PSN node including sponsor portal and guest FQDN. See next.

 

portalcert.pngportalcert1.png

 

 

 

 

For my guest portal vert only, the CN and SANs are shown below:

CN SAN.PNG

And the cert usage for the same cert is shown below:

Cert Usage.PNG

Everything looks fine, but please check if each PSN's from Primary PAN --- > System Certificates  ----------- >  PSN Node --- > New Certificate (Used by = Portal, Portal Group Tag = Default Portal Certificate Group). 

 

When the new certificate is added to the Primary PAN for the Portal USE with the default tag, it is not replicated to the rest. You have to manually add it to each node.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: