Hello

It's been a while since I have had to deal with an ISE Portal issue. Today was a struggle to get Android devices to not complain when trying to connect to a simple ISE Hotspot Portal. It was surprising to me that Windows and Apple iOS devices had no issues at all. Cisco 9800-CL controller running 16.12 release and ISE 2.7 patch 3. Simple Hotspot Portal with two PSNs. The Authorization Profile was returned to the client in the form of portal1.company.domain.com or portal2.company.domain.com (depending on which PSN serviced the MAB request) - and the Portal certificate was assigned to a Portal Tag using a wildcard certificate: Subject = *.company.domain.com, SAN = DNS:*.company.domain.com and DNS:company.domain.com - this certificate is used in many other web-based systems without any complaints.

The solution to our Portal problem was to purchase a new certificate that did not contain any wildcards at all. The new cert contained the FQDN of the ISE portal in the Subject Common Name, as well as in the SAN.

The other weird thing was with Oppo phones (also Android based) - these devices plain refused to authenticate to the SSID until I enabled Fast Transition (802.11r) to 'Enabled' (I had it disabled to begin with). Normally it's the other way around - fancy features usually prevent devices from connecting.

Maybe this helps someone else who might run into this. Android is going through the teething pains that Apple went through some years ago. And it's enforcing HSTS in a big way.

But the lesson I learned is to request a Portal certificate that contains the exact FQDN of every portal you need - and NO wildcards.