Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2325
Views
0
Helpful
3
Replies

ISE Domain Issue

Davion Stewart
Level 1
Level 1

‎04-16-2020 11:22 AM

Good day, 

 

Requirement: Public certificate needed for use with ISE guest portal to be able to securely authenticate users outside of the enterprise. This is so that users can trust the portal page and not get certificate errors and other issues associated with using an untrusted certificate. 

 

Setup: ISE 2.1 being used with WLC 5520 8.5 code. CWA being used between the ISE and WLC. Users go through Guest SSID and get redirected to Guest portal. 

Internal users authenticate to ISE using 802.1X (EAP-PEAP)

 

Problem:

The internal domain is mycompany.com. ISE has joined this domain. Internal users are on this domain. The external domain is exmycompany.com

Unfortunately, the internal domain has already been taken by another organisation. 

Therefore if we try generating a CSR from ISE, it uses the FQDN of ISE which uses the internal domain and therefore the domain (and by extension the certificate) cannot be verified.

A solution is required where we can authenticate both internal and external users securely.

 

Question:

Using an application like OpenSSL to create a CSR using the domain as exmycompany.com and any other required SAN names:

1. Once the necessary DNS zone is created on the domain controller for exmycompany.com to reflect the required domain names, can be uploaded to ISE System Certificate store and selected for only Portal Management even though the ISE is in a different domain?

2. Once this is done, can an Authorization Profile be configured to send the redirect URL as ISE.exmycompany.com using the static ip/host option?

 

Therefore, in the end what is required is that when the user connects to the SSID and is redirected, the ISE will send the redirect URL as ISE.exmycompany.com and then when the guest user device is validating the certificate, it will confirm that the URL is valid based on the trusted cert. The name will be resolved in DNS and take you to the ISE portal page.

Internal users will use the internal cert signed via the enterprise's internal CA which uses the mycompany.com domain. The internal cert will be assigned to all other ISE services required. (Admin, EAP authentication).

 

Let me know if this is possible or any plausible solutions, 

 

Thanks

1 person had this problem
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎04-16-2020 08:30 PM

Hi

 

You can generate a CSR request using openssl and once certificate is signed, you can import into ISE the private key and certificate and assign it to a portal group name. Then all you guest portal you want to use this certificate must be linked to that group.

You can also generate a CSR from ise by replacing the fqdn with your wanted fqdn. It will say you put a bad fqdn but you can validate to move forward.

Adding this certificate won't impact any actual authentication because it will be linked only to a portal group.

Is the portal attached to dedicated interface? If so, you can add the command ip host with the new fqdn and the portal dedicated interface ip to automatically force ise to return that fqdn to your guest users. Otherwise, you can specify, on your authorization profile, a static fqdn that your guest users must be able to resolve. Be careful though if you have many PSN, and if you assign many IP to 1 fqdn on your DNS, users will resolve this fqdn against your DNS server which will do a round robin and guest won't work. In that case, you can configure the ip host (different fqdn per node) and ISE will manage it automatically which one to return to your users. Or you can use a LB if you have any.

 

Again all this process won't impact your internal users and their authentication. Only impact is if you add the ip host for a dedicated interface because it will restart ISE services.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Peter Koltl
Level 7
Level 7

‎04-18-2020 09:32 AM

You can fill in ISE.exmycompany.com as CN FQDN when generating CSR on ISE GUI so you need not use openssl

 

The guest portal shows the same certificate for both internal and external clients so it should be universal, I mean commercial certificate (trusted by everyone). You can assign this certificate to Default Portal (all portals) or even to one portal with a specific portal tag while using enterprise ISE certificates for other EAP or Admin purpose.

 

The redirect URL should use static FQDN  ISE.exmycompany.com. 

 

 

0 Helpful

Davion Stewart
Level 1
Level 1
In response to Peter Koltl

‎04-20-2020 07:01 AM

Good morning all,
Thanks alot for the reply guys.
I am working to implement the solution and will let you know my findings.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents