Solved: ISE - portal FQDN

Kevin-H · ‎03-07-2018

Is the FQDN required for sponsor portal to work? (ditto for other types of portals)

Can you have more than one FQDN, and if so, are the entries separated by comma?

TIA

ajc · ‎03-07-2018

Answers:

1.-Yes, FQDN required. That FQDN name MUST be part of the SAN Certificate which MUST also manage ADMIN Role on ISE. Otherwise you would hit a bug that I found sometime ago. See picture below.

2.-Why do you need different sponsor portals?. all the PSN's would manage the same one you created and with a LB distributing the load is even better.

View solution in original post

ajc · ‎03-07-2018

Answers:

1.-Yes, FQDN required. That FQDN name MUST be part of the SAN Certificate which MUST also manage ADMIN Role on ISE. Otherwise you would hit a bug that I found sometime ago. See picture below.

2.-Why do you need different sponsor portals?. all the PSN's would manage the same one you created and with a LB distributing the load is even better.

Kevin-H · ‎03-07-2018

Thank you for the quick reply.

1. I completely understand where SAN entries fit in, for multiple hostnames, but am not sure why the same cert has to be used to also manage PAN.

I've used different certs to do Admin & Portal, and didn't run into any issues.

2. We don't want multiple sponsor portals, but rather the same portal that's accessible w/ multiple FQDN's.

For example, we want the employee sponsors to be able to hit it w/ guest.domain, guestwireless.domain, sponsor.domain, etc.

In earlier versions of ISE, I was able to do it w/o hard-coding the FQDN under sponsor portal.

Has that changed?

ajc · ‎03-07-2018

1.-Regarding the certificate. I am running 2.2 patch 4.

ISE 1.3 https to sponsor portal using Admin cert not sponsor cert

CSCut16630

Description

Symptom:
Admin ui: CertA (self signed)
Sponsor Portal: CertB (3rd party wild card)

On the sponsor portal settings in the Admin UI, fqdn set to: sponsor.example.com

In a browser, go to http://sponsor.example.com, get CertB and then redirection happens to the full url (with https and port etc) and same cert is presented again.

Go to https://sponsor.example.com, get CertA. Since self signed, accept warning, redirected to the full url (with port etc), get CertB.

Conditions:
Have different certs for Admin and Sponsor portals and use https to access the sponsor portal

Workaround:
One of the following:

1. Use http://fqdn to login to the sponsor portal
2. use a CA-signed certificate for the Administration portal on the PSN(s) where sponsor portal is enabled.
3. Use a load balancer or reverse proxy server as the front-end for the requests and have the SSL certificates installed at the web front end devices.

Further Problem Description:
An HTTPS request to the sponsor portal URL (e.g., https://sponsor.example.com) is a request to port 443 of the ISE node. Since this port is assigned to the Administration portal, ISE initially presents the Admin certificate. Once this cert is validated by the browser, the request is redirected to the port assigned to the Sponsor portal (e.g., https://sponsor.example.com:8443), and the certificate assigned to the Sponsor portal is presented by ISE. If the Admin certificate is self-signed, then the sponsor user will be prompted to grant a certificate exception when the sponsor portal request is made. Cisco recommends that a CA-signed cert be used for the Admin portal so this behavior does not occur.

ISE backend implementation is not capable of Server Name Indication (SNI), which only recently implemented for Tomcat 9. See http://stackoverflow.com/questions/20190464/howto-setup-tomcat-serving-two-ssl-certificates-using-sni

2.-Looks like it changed. As you mentioned, in previous versions we did not have to hard code the FQDN for sponsor portal. At this moment, I do not see any other option other than multiple sponsor portals.