Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3609
Views
3
Helpful
17
Replies

ISE 2.2 integration error with SMS Gateway Clickatell

Go to solution
MICHAEL HORNE
Level 1
Level 1

‎03-01-2018 10:25 AM

Hi,

I am trying to integrate ISE 2.2 with the SMS gateway from Clickatell.  Unfortunately I have not had any success. I found some guides here on the community, but they have not helped. I want to set up a 1-way integration via HTTPS GET.

Pasting the required URL into a web browser works fine, but it is not working from the ISE. The problem does not seem to be a URL problem, but a certificate problem.

When I try and send a notification from the Sponsor portal I get a error.

sponsor.PNG

When I manually try to send a test SMS from the Guest account type page I get a more detailed error:

error.PNG

When I take a look at the traffic on the proxy I can see that the Server is sending its certificate back and I can see the serial number of the CA certificate that signed it.

ca cert.PNG

The serial number of the CA certificate that signed the server certificate matches what is in the Trusted Certificate store of the ISE.

Trusted cert.PNG

The next thing I see in my packet trace is the ISE reporting a error back to the server "Certificate Unknown"

wireshark.PNG

If anyone has any idea what might be going wrong, it would be appreciated.

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to MICHAEL HORNE

‎03-14-2018 03:15 PM

Please ensure to import clickatell.com SSL certificate to the Trusted Certificates in ISE and trusted it for

[v]

Screen Shot 2018-03-14 at 3.13.16 PM.png

That worked for me, after I changed our test Clickatell URL from HTTP to HTTPS. I downloaded the clicktall.com certificate by putting the HTTPS URL in FireFox and export it out from the browser.

HTH

View solution in original post

17 Replies 17

Go to solution
Arne Bier
VIP
VIP

‎03-01-2018 02:31 PM

Just a stab in the dark - if you can inspect the Clickatel server certificate and then make sure that you have ALL the CA certs in the chain (including Root CA and all possible intermediates) installed in ISE under Trusted Certs.

0 Helpful

Go to solution
MICHAEL HORNE
Level 1
Level 1
In response to Arne Bier

‎03-02-2018 12:34 AM

HI,

I have made sure that the CA and Intermediate CA certificates are are trusted certificates. I have confirmed that the serial numbers and thumbprints of the CA certificates sent by the server as part of the Certificate handshake are the same as the ones in the Trusted Certificate store.

Do you of anyway of checking any logs that might help identify more about the issue?

Many thanks,

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to MICHAEL HORNE

‎03-02-2018 12:42 AM

Seems like this doc might help you out? if not would recommend troubleshooting with the tac. there is specific information there about the certificate and calls

ISE Guest SMS with Twilio and clickatell update 2017

0 Helpful

Go to solution
MICHAEL HORNE
Level 1
Level 1
In response to Jason Kunst

‎03-02-2018 12:59 AM

HI,

I have already looked at this document, but it did not help. It seems that this refers to an early API for Clickatell.  The document refers to api.clickatell.com and the documentation on Clickatell refers to "Platform.clickatell.com.

I have tried to follow this as closely as possible only changing what is clearly different, but it did not help.

Do you know any debugging or logs that would be helpful for troubleshooting?

Many thanks,

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to MICHAEL HORNE

‎03-02-2018 01:08 AM

Correct we use the API method. I have ISE 2.3 working with this type of account. You might need to speak to them about getting an account using it this way.

Otherwise I would recommend speaking to them on how to work with their newer method, this might need some updated documentation and troubleshooting with a tac case and get clickatell engaged.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to MICHAEL HORNE

‎03-02-2018 01:04 AM

I wrote up some stuff with my own SMS Gateway experiences.  ISE SMS Gateway - Easy Config for MessageMedia

I was trawling the guest log - maybe that will help?   I didn't enable debugs - but that file helped me a bit

Go to solution
MICHAEL HORNE
Level 1
Level 1
In response to Arne Bier

‎03-02-2018 02:06 AM

Hi,

I looked at your document. Most of the steps I have already done. We have checked the proxy and from a browser and it works fine. Just from the ISE the problem exists. You did help me with log files I can check.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to MICHAEL HORNE

‎03-02-2018 02:15 AM

There is a proxy in between as well? Is it possible to remove that?

0 Helpful

Go to solution
MICHAEL HORNE
Level 1
Level 1
In response to Jason Kunst

‎03-02-2018 02:17 AM

HI,

There is a proxy, but it is not doing SSL interception. The certificates from the real server are being passed back to the Cisco ISE.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to MICHAEL HORNE

‎03-12-2018 10:47 AM

It might be CSCvd34602. If not and if no TAC case yet, please engage Cisco TAC to troubleshoot further.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to hslai

‎03-12-2018 04:19 PM

Please let us know so we can add to our braintrust

0 Helpful

Go to solution
MICHAEL HORNE
Level 1
Level 1
In response to Jason Kunst

‎03-13-2018 12:39 AM

Hi,

I requested to discuss with Clickatell support, but got no response from them.

I do not have the write service contract to open up the Cisco TAC directly. I am still trying to locate someone within our organisation that can open a case for me.

0 Helpful

Go to solution
MICHAEL HORNE
Level 1
Level 1
In response to hslai

‎03-13-2018 12:50 AM

Hi,

I did try putting explicit text message to make sure the data part was not empty, but this did not help:

text.png

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to MICHAEL HORNE

‎03-14-2018 03:15 PM

Please ensure to import clickatell.com SSL certificate to the Trusted Certificates in ISE and trusted it for

[v]

Screen Shot 2018-03-14 at 3.13.16 PM.png

That worked for me, after I changed our test Clickatell URL from HTTP to HTTPS. I downloaded the clicktall.com certificate by putting the HTTPS URL in FireFox and export it out from the browser.

HTH

Customers Also Viewed These Support Documents