cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3612
Views
10
Helpful
2
Replies
mhoer
Beginner

ISE Guest portal public certificate

Looking for recommendations on guest/certificate issues on our ISE self registration portal, my certificate knowledge is pretty limited and just getting into using certificates.


This is only for guest users and contractors to avoid getting annoying certificate errors when using self registration portal for wireless guest access.Had to renew our certificates due to them expiring. We have EAP authentication running fine with no errors for our employees on our internal network with a private cert for machine authentication

 

Our ISE nodes have a FQDN of ISE1.company.edu and ISE2.company.edu
We do not have a public certificate for company.edu

However, our public domain CA is issued to a different domain of mycompany.edu

 

We are currently running ISE 2.6.0.156 with Patches 1 and 3 installed.

We have 5520 WLCs running code 8.5.171


Ive tried using SAN names or IP addresses to get around this but guest users are still receiving invalid/untrusted certificate errors when they open a web browser to be directed to the self registration portal. They are getting errors because the public and private domains do not match.

 

So what kind of certificate will work when our private domain does not match our public domain?

Any thoughts or suggestions would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Amine ZAKARIA
Beginner

Hello,

Does your Public certificate (mycompagny.edu) has a wildcard in the SAN *.mycompagny.edu? if so create two A record in the DNS each one pointing to a specific node example guest1.mycompagny.edu for ISE1 and  guest2.mycompagny.edu for ISE2

And Under the Authorization Profile used for redirection fix the fqdn for the url-redirect so ISE will send guest1.mycopagny.edu instead of ISE1.company.edu in the url-redirect.

IIS.JPG

 

Make sure mycompagny.edu cert is assigned to that specific portal.

Hope that helps!

View solution in original post

2 REPLIES 2
Amine ZAKARIA
Beginner

Hello,

Does your Public certificate (mycompagny.edu) has a wildcard in the SAN *.mycompagny.edu? if so create two A record in the DNS each one pointing to a specific node example guest1.mycompagny.edu for ISE1 and  guest2.mycompagny.edu for ISE2

And Under the Authorization Profile used for redirection fix the fqdn for the url-redirect so ISE will send guest1.mycopagny.edu instead of ISE1.company.edu in the url-redirect.

IIS.JPG

 

Make sure mycompagny.edu cert is assigned to that specific portal.

Hope that helps!

Ok thanks, I will look into that and try it out.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube