Solved: Re: ISE Guest Portal Certificate Trust in Endpoint

Jay Tiwari · ‎06-27-2019

Hi Experts,

I are deploying guest and BYOD solution for customer and customer has given me certificate for portal which is signed by sub CA.

Now sub CA is not available in endpoints, however, root CA cert is available in all the endpoints.

when guest and BYOD user connects to portal they get certificate error because ISE sends certificate of portal only.

Thus in order to rid off certificate error, can ISE be configured in such a way that ISE will send portal certificate with root or sub CA or CA chain?

Regards,

Jay

Arne Bier · ‎06-27-2019

Hi Jay

have you already installed the entire CA cert chain in your ISE nodes? I thought that ISE always returns the entire CA cert chain if the client requests it. This is the part I am vague on. I think if the client doesn’t have the entire chain then it’s up to the client to request this from the server.

View solution in original post

CarlCarlson1234 · ‎06-28-2019

I had this issue after upgrading from 2.4 patch 6 to patch 8. Tac was able to direct me to CSCvp75207. I added trust for certificate based admin authentication to the root and intermediate ca that signed the guest portal cert, rebooted the server (standalone lab) and my portals started sending the full chain.

View solution in original post

Arne Bier · ‎06-27-2019

Hi Jay

have you already installed the entire CA cert chain in your ISE nodes? I thought that ISE always returns the entire CA cert chain if the client requests it. This is the part I am vague on. I think if the client doesn’t have the entire chain then it’s up to the client to request this from the server.

Jay Tiwari · ‎06-28-2019

Yes, i did import entire CA chain in ISE hwoever when user connects in Guest portal they get error cert can not be validated

randomuser · ‎07-03-2019

Hi,

I have the same/similar issue with a public guest portal. Trying the workarounds described in CSCut26025 and CSCvp75207 did only solve partial for me. Because Windows and Apple Devices trust the cert , but not Android Devices. Check with openssl (i.e. .\openssl.exe s_client -showcerts -connect website.domain.name:port) shows that ISE not delivers the certificate chain anymore (in my case with two different ISE installations). The chain was fully provided/send by ISE with 2.4 Patch 6 but stopped working with Patch 8 (need to rollback, then everything worked as expected again) and also testes in Lab environment with ISE 2.6 Patch 1 (same result). Here is my discussion about that: https://community.cisco.com/t5/cisco-bug-discussions/cscut26025-doc-ise-certificate-chain-is-not-being-send-till/td-p/3879470

Regards

Jay Tiwari · ‎06-28-2019

this issue is because of bug CSCut26025.

Thanks for support.

Regards,

Jay

Arne Bier · ‎06-28-2019

Thanks for sharing this wonderful news. Is it fixed in any 2.4 patch? So if I am installing a CA chain I have to restart services on all affected nodes?

Jay Tiwari · ‎06-28-2019

Nope, It doesn't work. I have opened SR#687020206.

Regards,

Jay

CarlCarlson1234 · ‎06-28-2019

I had this issue after upgrading from 2.4 patch 6 to patch 8. Tac was able to direct me to CSCvp75207. I added trust for certificate based admin authentication to the root and intermediate ca that signed the guest portal cert, rebooted the server (standalone lab) and my portals started sending the full chain.

hslai · ‎07-04-2019

This particular TAC case is actually due to CSCvp75207, as the workaround has helped.

CSCut26025 is a very old doc bug. The general workaround in restarting ISE services could have helped different underlying issues, including CSCvk65179.

erga · ‎08-08-2019

I had the same issue, ise 2.4 patch 8, and it seemed to be resolved by following the workaround. The issue I'm having now is that the clients keep disconnecting, only my guest client. I have opened tac cases on both sides, nobody seems to know why its happening, all they see is that the phone left the bss which is not true, I'm right underneath the AP.

Has anyone else seen this, I am planning to roll back to patch 6 during the weekend to see if the issue goes away.

Jason Kunst · ‎08-08-2019

Sounds like a totally unrelated issue to deal with certificate trust. I would suggest a new thread to discuss

stormfidus · ‎07-03-2019

Hi Arne

I've heard that this should be fixed in Patch 10 which is planned to be released around September.

Patch 9 was just released yesterday, and it does not have a fix for it.

hslai · ‎07-03-2019

CSCut26025 is a doc bug and resolved already by updating ISE CCO docs.

CSCvp75207 is a tech bug and affecting ISE 2.4 Patch 8 and 9. For workaround, please check the bug info page.