03-01-2018 10:25 AM
Hi,
I am trying to integrate ISE 2.2 with the SMS gateway from Clickatell. Unfortunately I have not had any success. I found some guides here on the community, but they have not helped. I want to set up a 1-way integration via HTTPS GET.
Pasting the required URL into a web browser works fine, but it is not working from the ISE. The problem does not seem to be a URL problem, but a certificate problem.
When I try and send a notification from the Sponsor portal I get a error.
When I manually try to send a test SMS from the Guest account type page I get a more detailed error:
When I take a look at the traffic on the proxy I can see that the Server is sending its certificate back and I can see the serial number of the CA certificate that signed it.
The serial number of the CA certificate that signed the server certificate matches what is in the Trusted Certificate store of the ISE.
The next thing I see in my packet trace is the ISE reporting a error back to the server "Certificate Unknown"
If anyone has any idea what might be going wrong, it would be appreciated.
Solved! Go to Solution.
03-14-2018 03:15 PM
Please ensure to import clickatell.com SSL certificate to the Trusted Certificates in ISE and trusted it for
[v]
That worked for me, after I changed our test Clickatell URL from HTTP to HTTPS. I downloaded the clicktall.com certificate by putting the HTTPS URL in FireFox and export it out from the browser.
HTH
03-01-2018 02:31 PM
Just a stab in the dark - if you can inspect the Clickatel server certificate and then make sure that you have ALL the CA certs in the chain (including Root CA and all possible intermediates) installed in ISE under Trusted Certs.
03-02-2018 12:34 AM
HI,
I have made sure that the CA and Intermediate CA certificates are are trusted certificates. I have confirmed that the serial numbers and thumbprints of the CA certificates sent by the server as part of the Certificate handshake are the same as the ones in the Trusted Certificate store.
Do you of anyway of checking any logs that might help identify more about the issue?
Many thanks,
03-02-2018 12:42 AM
Seems like this doc might help you out? if not would recommend troubleshooting with the tac. there is specific information there about the certificate and calls
03-02-2018 12:59 AM
HI,
I have already looked at this document, but it did not help. It seems that this refers to an early API for Clickatell. The document refers to api.clickatell.com and the documentation on Clickatell refers to "Platform.clickatell.com.
I have tried to follow this as closely as possible only changing what is clearly different, but it did not help.
Do you know any debugging or logs that would be helpful for troubleshooting?
Many thanks,
03-02-2018 01:08 AM
Correct we use the API method. I have ISE 2.3 working with this type of account. You might need to speak to them about getting an account using it this way.
Otherwise I would recommend speaking to them on how to work with their newer method, this might need some updated documentation and troubleshooting with a tac case and get clickatell engaged.
03-02-2018 01:04 AM
I wrote up some stuff with my own SMS Gateway experiences. ISE SMS Gateway - Easy Config for MessageMedia
I was trawling the guest log - maybe that will help? I didn't enable debugs - but that file helped me a bit
03-02-2018 02:06 AM
Hi,
I looked at your document. Most of the steps I have already done. We have checked the proxy and from a browser and it works fine. Just from the ISE the problem exists. You did help me with log files I can check.
03-02-2018 02:15 AM
There is a proxy in between as well? Is it possible to remove that?
03-02-2018 02:17 AM
HI,
There is a proxy, but it is not doing SSL interception. The certificates from the real server are being passed back to the Cisco ISE.
03-12-2018 10:47 AM
It might be CSCvd34602. If not and if no TAC case yet, please engage Cisco TAC to troubleshoot further.
03-12-2018 04:19 PM
Please let us know so we can add to our braintrust
03-13-2018 12:39 AM
Hi,
I requested to discuss with Clickatell support, but got no response from them.
I do not have the write service contract to open up the Cisco TAC directly. I am still trying to locate someone within our organisation that can open a case for me.
03-13-2018 12:50 AM
Hi,
I did try putting explicit text message to make sure the data part was not empty, but this did not help:
03-14-2018 03:15 PM
Please ensure to import clickatell.com SSL certificate to the Trusted Certificates in ISE and trusted it for
[v]
That worked for me, after I changed our test Clickatell URL from HTTP to HTTPS. I downloaded the clicktall.com certificate by putting the HTTPS URL in FireFox and export it out from the browser.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide