cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2340
Views
28
Helpful
6
Replies
Austin Harsh
Beginner

ISE Hot Spot Certificate Error

We've just setup an ISE server (Version 1.3.0.876) and have configured a Hot Spot portal for guest users. Everything about the portal works just fine, however! The issue we are running into is we have installed a public cert signed by a public CA (Starfield CA), however when guests go to the EULA page on the ISE server, they are getting a cert error due to the certificate path not becoming populated. I look at the cert it gets and the path only contains the issued cert, not the CAs it needs above it. (I believe the cert requests the browser to go to a website to download the latest public CAs for the issued cert)

I can get around this by permitting that IP it hits in the ACL on the WLC, but I would like to just simply have ISE deliver the cert WITH it's public CAs just incase that IP changes, or it's actually hitting a VIP and it is just being round robin'd.

Does anyone know how this is done?

 

I've tried the following:

Pulled the cert off ISE, added the public CAs into the server cert and added it back into ISE, no luck. (I may have not done this properly, let me know if this should have worked)

Added the public CAs into ISE and trusted them, no luck with that either.

 

Let me know! Thanks guys! 

1 ACCEPTED SOLUTION

Accepted Solutions

Good job on solving the problem and for taking the time to post back here! (+5 from me). 

What is interesting is that ISE should warn you and automatically restart the server when a new HTTPs cert is installed. I wonder if this behavior perhaps changed with the latest version/patch. In either case, glad your issue is resolved!

Now you should mark the thread as "answered" :)

View solution in original post

6 REPLIES 6
nspasov
Cisco Employee

Make sure that you add the Root and all of the intermediate CAs certificates in the trusted certificate store in ISE. Also, make sure that you import those as individual certificate files and not the chain. 

 

Thank you for rating helpful posts!

(sorry for the long reply, I was out) I was able to do what you suggested, but it still does not send the chain with the cert.

I tried importing a p7b file with the chain into ISE, but it just strips out the other certs.

Any other ideas?

 

Thanks in advanced.

No worries. A couple of more questions:

1. Are all users/devices getting the certificate error or just some of them?

2. Can you check the "trusted root" certificate store and confirm that the Starfield Root CA is present. 

 

Thank you for rating helpful posts!

I figured out how to fix this, apparently you need to reboot your servers after you install a public cert. We rebooted both our ISE servers and mobile devices/laptops are not getting the cert issue anymore.

Thanks for your help!

Good job on solving the problem and for taking the time to post back here! (+5 from me). 

What is interesting is that ISE should warn you and automatically restart the server when a new HTTPs cert is installed. I wonder if this behavior perhaps changed with the latest version/patch. In either case, glad your issue is resolved!

Now you should mark the thread as "answered" :)

Thanks Heaps for this! I wish I had seen this post sooner. Would have saved me hours of troubleshooting trying to work out why it wasn't working.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube