05-17-2024 05:27 AM
Hi
I have just re-added a wildcard cert to ISE as it was about to expire, when I now try connecting to guest wireless network I don tget to the portal page and i get a warning saying this web page at https://guest.boarders.co.uk :8443 could not be loaded due to net:: err_ssl_version_or_cipher_mistmatch
aNy ideas what I might have missed please.??
Thanks
Solved! Go to Solution.
05-21-2024 03:36 PM
Glad you found a resolution for the cert issue via the TAC. I will keep that one in mind.
As for the question of SAN fields, this is up to
1) How the CA populated them (usually CA's will ensure that the Subject CN is always present somewhere in the SAN - e.g. if you submit a CSR with a Subject CN = www.zebra.com and forget to include www.zebra.com in the SAN, then any good CA will add it into the SAN)
2) How the browser chooses to select amongst multiple SAN entries. Perhaps there is an RFC out there that recommends/suggests the ordering, but I would think that the ordering of the SAN entries is arbitrary - as long as ONE of those entries satisfies the matching requirements - that's all that's required.
05-19-2024 02:24 AM
what certificate was there before Wild card ? or SAN ?
Look at the guide lines :
what ISE version ? if the cert is good and try remove old cert and reload ISE and test it.
check below :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480
05-19-2024 02:09 PM
@N3om is this the error message you are seeing when you are redirected to the ISE Portal page on a guest device? Doesn't sound like a certificate issue, since the certificate does not dictate what version of TLS is used.
Examine the new certificate anyway - does the browser manage to load it and can you verify that the new certificate is being presented to the browser?
Run a tcpdump on the ISE node to see what is going wrong with the TLS exchange.
Have you tried restarting the PSN node (app stop ise, reload)?
05-21-2024 01:54 PM - edited 05-21-2024 01:57 PM
@Arne Bier I think we had hit a bug which Cisco published a while back as I went through the steps Cisco suggested and it seems to have worked.
1. create a self signed Cert for Guest portal
2. delete new wildcard cert and old if still there
3. reload PSN and PAN nodes.
Hers another question if I may, when i watch tutorials online for adding wildcard cert via CSR, in the first DNS field is e.g
ise.local.co.uk, then the second dns fielsd is *.local.co.uk, I havent done it like this as the last cert didnt have it I have got
*.boarders.co.uk
boaders.co.uk
our guest portal is actually guest.boaders.co.uk
any idea which is the correct way please.?? and why.?????
Thanks
05-21-2024 03:36 PM
Glad you found a resolution for the cert issue via the TAC. I will keep that one in mind.
As for the question of SAN fields, this is up to
1) How the CA populated them (usually CA's will ensure that the Subject CN is always present somewhere in the SAN - e.g. if you submit a CSR with a Subject CN = www.zebra.com and forget to include www.zebra.com in the SAN, then any good CA will add it into the SAN)
2) How the browser chooses to select amongst multiple SAN entries. Perhaps there is an RFC out there that recommends/suggests the ordering, but I would think that the ordering of the SAN entries is arbitrary - as long as ONE of those entries satisfies the matching requirements - that's all that's required.
05-22-2024 12:17 PM
FYI
CSCwc64480
05-22-2024 12:24 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide