ISE 3.1 SAML Azure AD Guest Portal Certificate Warning

RaviCepheid · ‎11-10-2023

I am getting the certificate warning once the guest portal redirection pointing to SAML Azure AD (login.microsoft.com) saying that verify the identity of the server login.microsoft.com and I can see WLC controller certificate present. I would like to understand the flow/handoff for SAML authentications from ISE Guest portal to Azure AD SAML single sign-on. I know the browser will have SAML token request to Azure AD and not transparent to ISE. We are using public signed certs on ISE guest portal for the ISE certificate warnings. What we are seeing the server certificate warning of WLC controller for login.microsoft.com. Is this the expected behavior and and how do we fix it? Shall we raise a PKI CSR for WlC controllers signed by public CA and install root CA under trusted pool or under ISE application configuration on Azure AD, there is a certificate tab where we can install the public CA go-daddy root CA.

Greg Gibbs · ‎11-12-2023

The WLC should be configured for Central Web Auth using an Open SSID, so there should be no certificate presented by the WLC to the client. I would think the WLC would only present a certificate to the client if the SSID were configured to use Local Web Auth. The basic SAML flow should look something like this.

I would suggest reviewing your WLC configuration against the example in the ISE Guest Access Prescriptive Deployment Guide.

You can also find an example of using Entra ID (formerly Azure AD) as an external identity store for a Guest/BYOD portal flow here.

ISE BYOD Flow Using Azure AD

SaschaS15 · ‎10-15-2024

I also have configured a SSID with web authentication over a ISE Guest Portal. Therfore I have also configured a SAML authentication over the Entra AD. The inital workflow works.

1. I can successful connect to the SSID.

2. The device will be redirected to guest portal on the ISE.

3. When I click on the employee Button the Microsoft authentication with MFA start.

4. After the MFA process is confirmed I will be redirected an receive a certificate warning message.

5. When I check the certificate I will see a certificate form the WLC, but WebAuth on the WLC is not used.

Did anybody have a answer of the issue?

Greg Gibbs · ‎10-15-2024

Have a look at how you've configured your redirect ACL on the WLC. You might be running into the issue as described in this document.
Configure Central Web Authentication (CWA) on Catalyst 9800 WLC and ISE

"Note: If you end the ACL with a permit ip any any instead of a permit focused on port 80, the WLC also redirects HTTPS, which is often undesirable as it has to provide its own certificate and always creates a certificate violation. This is the exception to the previous statement that says you do not need a certificate on the WLC in case of CWA: you need one if you have HTTPS interception enabled but it is never considered valid anyway."

SaschaS15 · ‎10-20-2024

Hi Gibbs,

thanks for your answer, I used the ACL (including the HTTP ACL) from the manual ISE BYOD Flow Using Entra ID - Cisco Community from you. But you are right, I had to enlarge the HTTP ACL.

After changing the http acl it was working, but unfortunately only sometimes! On some devices I get a certificate warning message even though the http url are added to the acl. I think there is any bug in the firmware.

I have implement this process on our AirOS deployment with 5520, the SSID works central switched over a anchor controller. I know, I have to move to the 9800 controller, but at the moment it is a issue of the amount of time.