ISE portal not redirecting on Android phones- passing wrong cert

cvseggern · ‎11-10-2020

We recently renewed our Certs that expired for our guest portals.

What seems to be happening is that on windows devices and apple devices the guest portal will automatically open and redirect to our portal URL. It passes the whole cert chain, and everything is good.

What appears to happen on android devices is that when you connect to the guest wifi is it will not open up the mini browser for redirection, which is fine.

It only then redirects when you try to browse from a browser. But what happens it seems to pass the WLC cert rather than the ISE cert so when you try to get to the portal URL it just throws cert errors and the web page will inevitably not load.

Even when attempting to browse directly to the IP address it will give either a 404 error or a "Access Denied" if it even does load.

What makes this even more interesting is that in an effort to troubleshoot, I've created essentially a clone of my guest WIFI network. It uses a clone of the WLC ACL, the same rules on the firewall, the same ISE policy set, same cert, basically it's a clone in all aspects.

This loads just fine.

I've tried multiple things including rebooting ise multiple times, rebooting our WLC, and enabling/disabling captive bypass, and nothing seems to work to get our primary guest portal to redirect or pass the correct cert for Andoid devices.

Any help would be appreciated.

Version: 2.6.0.156

installed patches: 6

Arne Bier · ‎11-10-2020

Sounds bizarre indeed - if the WLC clone (that works without issues) is in fact an exact copy (apart from its IP addressing perhaps) then it would appear that the issue lies with the config in the other WLC? e.g. is there perhaps a virtual IP (traditionally, incorrectly set to 1.1.1.1 instead of 192.0.2.1) still floating around? Or are there static host entries on the client (e.g. /etc/hosts) ?

Looking at the ISE side of things, do you have the complete CA cert chain installed on ISE (e.g. the public CA's Root and any intermediate certificates) under Trusted Certificates? It's never been 100% clear to me but just to be on the safe side, I always install the entire chain - just in case the web server has to provide that to the client.

Have you run a config diff (from show run) between the prod WLC and the clone WLC? What can you see?

cvseggern · ‎11-10-2020

Hi Arne,

Thanks for the response! I should clarify that when I made a clone, I meant that I made a separate WLAN with a different name and SSID.

I copied over the ACL which is the same besides the IP addresses.

So this is still on the same WLC in a HA pair.

Anyway, when I check on the cert I receive, I appear to be receiving this one on my android devices (screenshot from my WLC)

I couldn't find any case of a virtual IP set or static routes/ host entries.

As far as the ISE chain, all the certs and intermediary certs are installed.

One other thing to note, when another user attempts to connect to the WiFi, they are getting a 404 Page error message.

I'm almost tempted to move over my guest wifi to my cloned SSID since that seems to be working without issues

hslai · ‎11-14-2020

I hope you have either already resolved this issue yourself or opened a TAC case on this. If you need more help here, I would suggest you to check the URL that the Android browser reached to, and take some packet captures to confirm the Android endpoint is getting the certificate from the desired web server.

As to the WLAN configurations, you may try exporting the configuration to a repository and then compare the two WLANs line-by-line.