Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9158
Views
10
Helpful
2
Replies

ISE Guest portal public certificate

Go to solution
mhoer
Level 1
Level 1

‎08-03-2021 11:45 AM

Looking for recommendations on guest/certificate issues on our ISE self registration portal, my certificate knowledge is pretty limited and just getting into using certificates.


This is only for guest users and contractors to avoid getting annoying certificate errors when using self registration portal for wireless guest access.Had to renew our certificates due to them expiring. We have EAP authentication running fine with no errors for our employees on our internal network with a private cert for machine authentication

 

Our ISE nodes have a FQDN of ISE1.company.edu and ISE2.company.edu
We do not have a public certificate for company.edu

However, our public domain CA is issued to a different domain of mycompany.edu

 

We are currently running ISE 2.6.0.156 with Patches 1 and 3 installed.

We have 5520 WLCs running code 8.5.171


Ive tried using SAN names or IP addresses to get around this but guest users are still receiving invalid/untrusted certificate errors when they open a web browser to be directed to the self registration portal. They are getting errors because the public and private domains do not match.

 

So what kind of certificate will work when our private domain does not match our public domain?

Any thoughts or suggestions would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amine ZAKARIA
Spotlight
Spotlight

‎08-03-2021 05:42 PM

Hello,

Does your Public certificate (mycompagny.edu) has a wildcard in the SAN *.mycompagny.edu? if so create two A record in the DNS each one pointing to a specific node example guest1.mycompagny.edu for ISE1 and  guest2.mycompagny.edu for ISE2

And Under the Authorization Profile used for redirection fix the fqdn for the url-redirect so ISE will send guest1.mycopagny.edu instead of ISE1.company.edu in the url-redirect.

IIS.JPG

 

Make sure mycompagny.edu cert is assigned to that specific portal.

Hope that helps!

View solution in original post

2 Replies 2

Go to solution
Amine ZAKARIA
Spotlight
Spotlight

‎08-03-2021 05:42 PM

Hello,

Does your Public certificate (mycompagny.edu) has a wildcard in the SAN *.mycompagny.edu? if so create two A record in the DNS each one pointing to a specific node example guest1.mycompagny.edu for ISE1 and  guest2.mycompagny.edu for ISE2

And Under the Authorization Profile used for redirection fix the fqdn for the url-redirect so ISE will send guest1.mycopagny.edu instead of ISE1.company.edu in the url-redirect.

IIS.JPG

 

Make sure mycompagny.edu cert is assigned to that specific portal.

Hope that helps!

Go to solution
mhoer
Level 1
Level 1
In response to Amine ZAKARIA

‎08-04-2021 06:04 AM

Ok thanks, I will look into that and try it out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents