Solved: Re: PortalGuest - Problems with Androids and iPhones

TiUM · ‎03-09-2021

ISE Version 2.7, Patch 1 and 2

As the title suggests, I’m having a huge problem with Android phones and iPhones to open the Portal automatically. Since every time they get certificate error, even with the public wildcard. And some iPhones does not even open the portal, they connect to the SSID, but nothing happens.

I have no issues in Computers, only on phones .

Does anyone ever pass this problem before?

Filip Po · ‎03-10-2021

My recommendation is this few steps:

use a CA cert with FQDN because
- Web browser support -- newer Chrome browser releases may not connect to ISE portal pages unless the hostname/FQDN matched in the certificate SAN field. ISE 2.3 needs this for the system certificate(s) used by the ISE guest/BYOD portals; earlier ISE releases might need the same by the ISE admin portal.
- Please check if you have SAN field in the Portal Certificate. Android 9 is not accepting Portal Certificate if the certificate doesn’t have SAN in it ( FQDN or IP based on portal redirection).
if there is not a well-known intermediate CA, then you can follow this guide by which you will set ISE portal to send whole CA certificate chain
- in the certification trust store check all required boxes provided by the workaround in this CSCvp75207.
Other recommendations: https://support.apple.com/en-us/HT210176

View solution in original post

TiUM · ‎03-10-2021

Any ideias? Still cant get it why

martin.fischer · ‎03-10-2021

Hi @TiUM

Can you provide more information to troubleshoot? Just by chance, is your guest certificate signed by QuoVadis?

Because they recently refreshed their intermediate CA and revoked the old intermediate certificates. I have seen issues with guest deployments a lot recently because of this.

https://knowledge.digicert.com/quovadis/ssl-certificates/Intermediate-CA-Revocations-January-2021.html

If that is the case then renew the intermediate certificate on ISE.

TiUM · ‎03-10-2021

Thank you, my public certificate is issue by GoDaddy. I never had any problems with it. If that was the real problem connecting via PC would not work, and that is not case. Only on phones, and the certifica is equal for both.

Thank you, will try to chek

Filip Po · ‎03-10-2021

My recommendation is this few steps:

use a CA cert with FQDN because
- Web browser support -- newer Chrome browser releases may not connect to ISE portal pages unless the hostname/FQDN matched in the certificate SAN field. ISE 2.3 needs this for the system certificate(s) used by the ISE guest/BYOD portals; earlier ISE releases might need the same by the ISE admin portal.
- Please check if you have SAN field in the Portal Certificate. Android 9 is not accepting Portal Certificate if the certificate doesn’t have SAN in it ( FQDN or IP based on portal redirection).
if there is not a well-known intermediate CA, then you can follow this guide by which you will set ISE portal to send whole CA certificate chain
- in the certification trust store check all required boxes provided by the workaround in this CSCvp75207.
Other recommendations: https://support.apple.com/en-us/HT210176

TiUM · ‎03-10-2021

I will try to chek that, thank you for the reply

Yordan Yordanov · ‎07-27-2022

Hi TiUM,

Have you found the problem? I have the same problem now. The wildcard certificate works fine on the Windows machines, it's only the phones that have problems. Even the Iphone does not give me the option to ignore the certificate problem and continue.

br

Yordan

Filip Po · ‎07-27-2022

Hello, because Apple decided not to support the wildcard certificate and let people choose to accept the warning, now it seems that apple took a step further and banned wildcard certificates completely. Are you sure there are no other problems with an intermediate or a root CA? You have to have a certification chain in a trusted store, so Windows should have, an iPhone not. What an iPhone does if you use a self-signed cert?