Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
951
Views
0
Helpful
4
Replies

ISE 2.4 Guest and Sponsor Portal Issue

Go to solution
scottbreslin
Level 1
Level 1

‎11-14-2022 03:49 AM

Hi Guys,

I have a customer who is wanting to setup Guest and Sponsor Portals on their ISE (2.4 Patch 8).   Both portals are configured to use the same Certificate Group Tag, the certificate is signed by Entrust and configured for Portal usage.   

The guest portal is configured to use port 8443 on Gig 2

The sponsor portal is configured to use port 8443 on Gig 0 and using a FQDN (Internal DNS servers have been updated to resolve the ISE ip)

When a wireless client accesses the guest portal, everything works fine.  However, when a client accesses the sponsor portal from the internal network, the ISE is presenting its admin certificate rather than the Entrust one.  As such the client receives a certificate warning 

Its as if the ISE is ignoring the certificate group tag that its been configured with.

Any idea on how to resolve this issue please?

Thanks 

Scott 

  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to scottbreslin

‎11-14-2022 07:50 AM

But your clients won’t trust a self-signed certificate. If you are using a public certificate for admin, you should get a new certificate and add the sponsor URL as SAN entry. Same if you are using a private CA.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ahollifield
VIP
VIP

‎11-14-2022 06:10 AM

Yup really common issue on ISE.  I usually put the sponsor portal URL as a SAN name in the admin certificate since ISE does a very strange redirection to the sponsor portal.  It connects to standard HTTPS/443 first which uses the admin certificate.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743964.html

0 Helpful

Go to solution
scottbreslin
Level 1
Level 1
In response to ahollifield

‎11-14-2022 07:29 AM

Thanks for the reply.

So based on what you have said, I can create a self signed certificate, add the FQDN of the sponsor portal into the SAN and tick the admin usage box.  Do i also need to tick the portal usage box?

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to scottbreslin

‎11-14-2022 07:50 AM

But your clients won’t trust a self-signed certificate. If you are using a public certificate for admin, you should get a new certificate and add the sponsor URL as SAN entry. Same if you are using a private CA.
0 Helpful

Go to solution
scottbreslin
Level 1
Level 1
In response to ahollifield

‎11-14-2022 08:08 AM

Yes the admin portal is currently using a cert signed by their private CA

0 Helpful
Customers Also Viewed These Support Documents