Solved: ISE Hot Spot Certificate Error

Austin Harsh · ‎03-19-2015

We've just setup an ISE server (Version 1.3.0.876) and have configured a Hot Spot portal for guest users. Everything about the portal works just fine, however! The issue we are running into is we have installed a public cert signed by a public CA (Starfield CA), however when guests go to the EULA page on the ISE server, they are getting a cert error due to the certificate path not becoming populated. I look at the cert it gets and the path only contains the issued cert, not the CAs it needs above it. (I believe the cert requests the browser to go to a website to download the latest public CAs for the issued cert)

I can get around this by permitting that IP it hits in the ACL on the WLC, but I would like to just simply have ISE deliver the cert WITH it's public CAs just incase that IP changes, or it's actually hitting a VIP and it is just being round robin'd.

Does anyone know how this is done?

I've tried the following:

Pulled the cert off ISE, added the public CAs into the server cert and added it back into ISE, no luck. (I may have not done this properly, let me know if this should have worked)

Added the public CAs into ISE and trusted them, no luck with that either.

Let me know! Thanks guys!

nspasov · ‎04-03-2015

Good job on solving the problem and for taking the time to post back here! (+5 from me).

What is interesting is that ISE should warn you and automatically restart the server when a new HTTPs cert is installed. I wonder if this behavior perhaps changed with the latest version/patch. In either case, glad your issue is resolved!

Now you should mark the thread as "answered" :)

View solution in original post

nspasov · ‎03-20-2015

Make sure that you add the Root and all of the intermediate CAs certificates in the trusted certificate store in ISE. Also, make sure that you import those as individual certificate files and not the chain.

Thank you for rating helpful posts!

Austin Harsh · ‎03-31-2015

(sorry for the long reply, I was out) I was able to do what you suggested, but it still does not send the chain with the cert.

I tried importing a p7b file with the chain into ISE, but it just strips out the other certs.

Any other ideas?

Thanks in advanced.

nspasov · ‎03-31-2015

No worries. A couple of more questions:

1. Are all users/devices getting the certificate error or just some of them?

2. Can you check the "trusted root" certificate store and confirm that the Starfield Root CA is present.

Thank you for rating helpful posts!

Austin Harsh · ‎04-03-2015

I figured out how to fix this, apparently you need to reboot your servers after you install a public cert. We rebooted both our ISE servers and mobile devices/laptops are not getting the cert issue anymore.

Thanks for your help!

nspasov · ‎04-03-2015

Good job on solving the problem and for taking the time to post back here! (+5 from me).

What is interesting is that ISE should warn you and automatically restart the server when a new HTTPs cert is installed. I wonder if this behavior perhaps changed with the latest version/patch. In either case, glad your issue is resolved!

Now you should mark the thread as "answered" :)

pvzcisco07 · ‎03-08-2021

Thanks Heaps for this! I wish I had seen this post sooner. Would have saved me hours of troubleshooting trying to work out why it wasn't working.