cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1957
Views
15
Helpful
1
Replies

Portals with wildcard certificates do not work with Android 10+

Arne Bier
VIP
VIP

Hello

 

It's been a while since I have had to deal with an ISE Portal issue. Today was a struggle to get Android devices to not complain when trying to connect to a simple ISE Hotspot Portal. It was surprising to me that Windows and Apple iOS devices had no issues at all. Cisco 9800-CL controller running 16.12 release and ISE 2.7 patch 3. Simple Hotspot Portal with two PSNs. The Authorization Profile was returned to the client in the form of portal1.company.domain.com or portal2.company.domain.com (depending on which PSN serviced the MAB request) - and the Portal certificate was assigned to a Portal Tag using a wildcard certificate: Subject = *.company.domain.com, SAN = DNS:*.company.domain.com and DNS:company.domain.com - this certificate is used in many other web-based systems without any complaints.

 

The solution to our Portal problem was to purchase a new certificate that did not contain any wildcards at all. The new cert contained the FQDN of the ISE portal in the Subject Common Name, as well as in the SAN.

 

The other weird thing was with Oppo phones (also Android based) - these devices plain refused to authenticate to the SSID until I enabled Fast Transition (802.11r) to 'Enabled' (I had it disabled to begin with). Normally it's the other way around - fancy features usually prevent devices from connecting.

 

Maybe this helps someone else who might run into this. Android is going through the teething pains that Apple went through some years ago. And it's enforcing HSTS in a big way.

But the lesson I learned is to request a Portal certificate that contains the exact FQDN of every portal you need - and NO wildcards.

HSTS Horror.png

 

 

1 Reply 1

Damien Miller
VIP Alumni
VIP Alumni

Having a wildcard in the CN has always caused me issues with Microsoft machines, so this does not surprise me. Every customer I've used a wildcard cert with, we did so by getting the wildcard entry in as a SAN. 

The last year has brought so many certificate changes on the OS side too, it's hard to keep track of it all. Apple no longer accepts a cert with a valid period longer than 397 days if issued after Sept 1 2020. This was semi decently communicated, but it also applied to all of the large vendors. 

Android also dropped support for SHA-1 certs in a single liner in the release notes. Full time job just keeping up. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: