cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2341
Views
35
Helpful
11
Replies
Highlighted
Beginner

ISE 2.6 patch 2 not sending certificate chain to guest portal clients

Good evening.

 

I have a problem similar to CSCvp75207 - "2.4 P8/P9 Certificate chain does not get imported to Patch 8 and Patch 9"

The ISE appliance (3695) running 2.6.0.156 with patch 1 and 2 doesn't transfer the complete certificate chain to the clients, even though the installed portal certificate was complete with root and intermediate certificates.

 

I have mapped the root and intermediate certificate trust, but still the complete chain isn't sent.

Anyone using the same platform and has found a working solution?

 

Sincere Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Hi mate,

 

I have this experience before that the whole chain doesn't work after install of guest cert.

What I did was to reboot the ISE box.

Though guest certs doesn't require you to reload it, it seemed to have worked only after I restarted ISE.

Thanks.

 

Cheers,


Raffy

View solution in original post

11 REPLIES 11
Highlighted
Beginner

Hi mate,

 

I have this experience before that the whole chain doesn't work after install of guest cert.

What I did was to reboot the ISE box.

Though guest certs doesn't require you to reload it, it seemed to have worked only after I restarted ISE.

Thanks.

 

Cheers,


Raffy

View solution in original post

Highlighted

Thanks Raffy.

 

Very strange. I had started and stopped ISE service, but the trust mappings in the root and intermediate certificate didn't take effect until the servers had been rebooted.

Installing the certificate and rebooting isn't enough. You must check the box for "Trust for certificate based admin authentication" for each root and intermediate certificate before rebooting.

 

Well If any Cisco Employees read this please note that ISE is affected of the same bug as mentioned in CSCvp75207.

As I understand in release 2.4 a patch 9 is scheduled, and I really hope for a third patch for 2.6 release.

Mapping all these certificate trusts seems to be a strange security implementation...

Highlighted

If anyone is still follows this thread.

I rebooted the servers last week and everything seemed OK, but suddenly I noticed that the Radius live log and Live sesions are stating "No data found"

ISE Radius live log w no data.PNGI have rebooted all servers again, and all gueest authenication and CoA is working properly.but still the Radius Live log is not displaying ANY data!

Deployment status is still OKISE Deployment status.PNG

Somehow these logging windows are not presenting any data, but authentication details can be obtained from the Metrics window at the Home screen.ISE Active endpoints authentication detail.PNG

Highlighted

Hi mate, 

 

that should be a bug right there.

I had similar experience with no live logs back when i was running 2.2

Cisco TAC contacted developers and they had to do root access to ISE vault and somehow cleared the database.

They will provide you the steps on how to generate key for that root access to ISE.

Just raise a high priority case with TAC.

 

cheers,

 

Raffy

 

Highlighted

Hi mate,

 

Btw, i remembered they asked me to clear cache on browser.

Relaunch the browser after that.

Also, ISE works best only on mozilla.

See if this works for you.

If not, then try to raise with TAC as I mentioned on my prev post.

 

cheers,

 

Raffy

Highlighted

Hi Raffy.

 

Thanks for your advise, but clearing the cache didn't help a bit.

Actually the page is blank in the data fields until the output "no data available" is shown.

Also I tried anothe browser and another station. Same issue.

- I found this bug on 2.6: CSCvo80516 - ISE 2.6 LiveLogs not seen and false Health Status is Unavailable alarm

 

 

I have opened a TAC case for the initial error, but have also found another bug - "Queue Link Error" (CSCvp45528)

I'll post whatever outcome of this TAC case. (opened on monday, but no action yet)

 

Regards

Highlighted

Hi @Mats Nilson 

 

I was about to advise a customer to patch their new ISE 2.6 deployment and looks like patch 2 is a bad idea?  What I don't understand is why a reboot fixes this issue, since applying a patch will result in a reboot anyway.  So it's a reboot after a reboot?

 

Queue Link error is present in the vanilla version of ISE 2.6 - I regenerated the internal CA store in ISE to try stop that error. I have not checked in recently to see whether it's fixed.

 

Highlighted

Hi Arne.

 

I must clarify.

The portal certificate complete with the chain was installed before the both patch 1 and 2.

Reboot didn't solve this issue alone.

I had to mark trust for authentication within ISE for both root and intermediate certificate AND then reboot.

Stopping ISE service didn't help. Only Reboot efter changing trust.

 

You say regenerating internal CA store should fix the Queue Link Error?

Haven't done that before - do you have any guidelines?

I don't wast to mess up this installation any more than today... ;-)

 

Sincere Regards

Highlighted

Hi @Mats Nilson 

 

The Queue Link Error was caused due to a bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp45528/?rfs=iqvred

Relating to the internal CA cert. The recommended fix was to re-generate the internal CA structure. Non service impacting, assuming that the ISE does not use internal CA (for BYOD)

 

It seems to have fixed the issue in my customer's ISE 2.6 (no patch applied).

 

regards

Arne

Highlighted

Having replaced the Root CA cert many times in the past without issue, I will now hesitate slightly before clicking the button. Last I managed to kill my 2.4 p9 lab deployment regenerating the root ca cert, the deployment partially stopped communicating with the PAN.

I would just do it under a change management ticket just in case ;)
Highlighted
Beginner

Hello,

 

I had the same problem, but on VPN with Posture.

The System Scan always failed because ISE did not sent the whole cert chain.

The workaround is to edit each ISE Trust Certificate that is used in the trust chain of an active ISE System Certificate, and check the "Trust for certificate based admin authentication" check box, as it is said in the bug CSCvp75207.

After that i had to reboot the PSN.

 

Regards,

Norbert