cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
344
Views
5
Helpful
6
Replies

ISE Wildcard Cert issue

N3om
Level 1
Level 1

Hi

I have just re-added a wildcard cert to ISE as it was about to expire, when I now try connecting to guest wireless network I don tget to the portal page and i get a warning saying this web page at https://guest.boarders.co.uk :8443     could not be loaded due to net:: err_ssl_version_or_cipher_mistmatch

 

aNy ideas what I might have missed please.??

 

Thanks

1 Accepted Solution

Accepted Solutions

Glad you found a resolution for the cert issue via the TAC.  I will keep that one in mind.

As for the question of SAN fields, this is up to

1) How the CA populated them (usually CA's will ensure that the Subject CN is always present somewhere in the SAN - e.g. if you submit a CSR with a Subject CN = www.zebra.com and forget to include www.zebra.com in the SAN, then any good CA will add it into the SAN)

2) How the browser chooses to select amongst multiple SAN entries. Perhaps there is an RFC out there that recommends/suggests the ordering, but I would think that the ordering of the SAN entries is arbitrary - as long as ONE of those entries satisfies the matching requirements - that's all that's required.

View solution in original post

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

what certificate was there before Wild card ? or SAN ?

Look at the guide lines :

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

what ISE version ? if the cert is good  and try remove old cert and reload ISE and test it.

check below :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arne Bier
VIP
VIP

@N3om is this the error message you are seeing when you are redirected to the ISE Portal page on a guest device?   Doesn't sound like a certificate issue, since the certificate does not dictate what version of TLS is used.

Examine the new certificate anyway - does the browser manage to load it and can you verify that the new certificate is being presented to the browser?

Run a tcpdump on the ISE node to see what is going wrong with the TLS exchange. 

Have you tried restarting the PSN node (app stop ise, reload)?

@Arne Bier I think we had hit a bug which Cisco published a while back as I went through the steps Cisco suggested and it seems to have worked.

1. create a self signed Cert for Guest portal

2. delete new wildcard cert and old if still there

3. reload PSN and PAN nodes.

 

Hers another question if I may, when i watch tutorials online for adding wildcard cert via CSR, in the first DNS field is e.g

ise.local.co.uk, then the second dns fielsd is *.local.co.uk, I havent done it like this as the last cert didnt have it I have got

*.boarders.co.uk

boaders.co.uk  

our guest portal is actually guest.boaders.co.uk

any idea which is the correct way please.?? and why.?????

Thanks

 

Glad you found a resolution for the cert issue via the TAC.  I will keep that one in mind.

As for the question of SAN fields, this is up to

1) How the CA populated them (usually CA's will ensure that the Subject CN is always present somewhere in the SAN - e.g. if you submit a CSR with a Subject CN = www.zebra.com and forget to include www.zebra.com in the SAN, then any good CA will add it into the SAN)

2) How the browser chooses to select amongst multiple SAN entries. Perhaps there is an RFC out there that recommends/suggests the ordering, but I would think that the ordering of the SAN entries is arbitrary - as long as ONE of those entries satisfies the matching requirements - that's all that's required.