cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
5
Helpful
2
Replies

ISE Certificate Question: LWA to CWA

psullivan1984
Level 1
Level 1

Looking to move from LWA to CWA for wireless guest access.

Have a separate DNS appliance with a subdomain it’s authoritative for: guest.example.com

On the certificate side, we have a CN=ise.example.com and SAN=ise.example.com and *.example.com used currently for Admin, Portal, and PxGrid.

Question I have is: since I need an A record for the portal, should I generate new certificates with CN=portal.guest.example.com, SAN=portal.guest.example.com and *.guest.example.com? Or am I totally in the wrong direction?

 

Identity Services Engine (ISE), LWA, CWA, certificates, portal, wildsan

1 Accepted Solution

Accepted Solutions

bern81
Level 1
Level 1

Yes you need a new certificate otherwise it will pop an error when you get redirected to the guest portal page because the FQDN

of the Guest Portal does not have any SAN field matching it.

In your situation better to use a wildcard certificate as you mentioned for the domain guest.example.com.

Also as word of advise use a third party public certificate (like from verisign, digicert ...) as now most mobile phones browsers like google chrome and apple safari will not open the guest protal if the CA that signed the Cert is unknown (it will not even allow you

to add an exception like you can do in firefox).

I hope this helped.

 

Please rate if this answer was helpfull.

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

If you intend to have sites under guest.example.com, such as portal.guest.example.com, site1.guest.example.com, site2.guest.example.com, etc., then you are correct about the need for new certificate(s) as these portal sites have DNS FQDNs not covered by the the existing certificate(s).

bern81
Level 1
Level 1

Yes you need a new certificate otherwise it will pop an error when you get redirected to the guest portal page because the FQDN

of the Guest Portal does not have any SAN field matching it.

In your situation better to use a wildcard certificate as you mentioned for the domain guest.example.com.

Also as word of advise use a third party public certificate (like from verisign, digicert ...) as now most mobile phones browsers like google chrome and apple safari will not open the guest protal if the CA that signed the Cert is unknown (it will not even allow you

to add an exception like you can do in firefox).

I hope this helped.

 

Please rate if this answer was helpfull.