ISE Guest Portal public certificate

Aquatera · ‎09-29-2021

Hi All,

I am just looking at putting a public cert on our Guest Portal provided by ISE. We have a pretty standard setup of a Primary & Secondary PAN as well as PSN and are using WLC Anchor/Foreign controllers. Our Guest users currently get the certificate not trusted when they go through the CWA redirect as the cert ISE provides is provided by our local PKI and we specify the IP in the redirect also. I have tested putting a public cert on in a lab environment and as we only allow guests to Google DNS and not our internal DNS servers I have had to use the DNS rewrite method on my ASA.
This works fine, but I am wondering if there are any other methods people have used out there when only using public DNS as I don't really want to use 3 public IP's if I can help it for the DNS rewrite method. Security don't seem keen on allowing guests to use our internal DNS servers either.

ComputerRick · ‎09-30-2021

What IP are you providing in the redirect to get to the portal? If it's an RFC1918 private address (10.x.x.x, 172.16.x.x, or 192.168.x.x) then you don't have an alternative, as those IPs are no longer allowed in certs issued by Trusted Anchors. I would suggest that your best option would be to setup a DNS server for your guests that doesn't communicate with your internal servers, then you could get a trusted cert with the dns of your ISE server portal(s) using something like ISE1.<domain> ISE2.<domain> and have it resolve internally on your guest DNS on a private IP.

With changes coming on mobile devices, they will soon not be able to bypass that warning and using private IPs for the redirect will no longer function.

The only other solution would be to use a publicly resolvable IP for the portals, so it's down to use a public IP for each portal, have a guest DNS, or risk having devices that will increasingly stop working on your guest network altogether. HTH.