Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
704
Views
5
Helpful
2
Replies

ISE Certificate Question: LWA to CWA

Go to solution
psullivan1984
Level 1
Level 1

‎01-18-2019 12:57 PM

Looking to move from LWA to CWA for wireless guest access.

Have a separate DNS appliance with a subdomain it’s authoritative for: guest.example.com

On the certificate side, we have a CN=ise.example.com and SAN=ise.example.com and *.example.com used currently for Admin, Portal, and PxGrid.

Question I have is: since I need an A record for the portal, should I generate new certificates with CN=portal.guest.example.com, SAN=portal.guest.example.com and *.guest.example.com? Or am I totally in the wrong direction?

 

Identity Services Engine (ISE), LWA, CWA, certificates, portal, wildsan

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
bern81
Level 1
Level 1

‎02-11-2019 12:24 AM

Yes you need a new certificate otherwise it will pop an error when you get redirected to the guest portal page because the FQDN

of the Guest Portal does not have any SAN field matching it.

In your situation better to use a wildcard certificate as you mentioned for the domain guest.example.com.

Also as word of advise use a third party public certificate (like from verisign, digicert ...) as now most mobile phones browsers like google chrome and apple safari will not open the guest protal if the CA that signed the Cert is unknown (it will not even allow you

to add an exception like you can do in firefox).

I hope this helped.

 

Please rate if this answer was helpfull.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-10-2019 03:48 PM

If you intend to have sites under guest.example.com, such as portal.guest.example.com, site1.guest.example.com, site2.guest.example.com, etc., then you are correct about the need for new certificate(s) as these portal sites have DNS FQDNs not covered by the the existing certificate(s).

0 Helpful

Go to solution
bern81
Level 1
Level 1

‎02-11-2019 12:24 AM

Yes you need a new certificate otherwise it will pop an error when you get redirected to the guest portal page because the FQDN

of the Guest Portal does not have any SAN field matching it.

In your situation better to use a wildcard certificate as you mentioned for the domain guest.example.com.

Also as word of advise use a third party public certificate (like from verisign, digicert ...) as now most mobile phones browsers like google chrome and apple safari will not open the guest protal if the CA that signed the Cert is unknown (it will not even allow you

to add an exception like you can do in firefox).

I hope this helped.

 

Please rate if this answer was helpfull.

0 Helpful
Customers Also Viewed These Support Documents