cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1488
Views
3
Helpful
7
Replies

Problem with sponsored guest portal and its certificate..

I have a problem using the sponsored guest portal.
My internal ise deployment is using a self signed certificate by our ca Server.    

The problem is that i have an open SSID for guests so when they arrive they open their browser and get redirected to the fqdn of the sponsored portal.

They get the "Untrusted website advertise" and i dont like that idea.(ssl problem).

So i was thinking on buying a wildcard ssl certificate from Godaddy to fix this issue, will it work?

What i understood is that they dont trust the website since they dont have the root cert on their devices, so if i configure a public ssl certificate we should get rid of this ssl problem, right?

Or what would be the best option?

Thanks

1 Accepted Solution

Accepted Solutions

gbekmezi-DD
Level 5
Level 5

I don’t think you’d need a wildcard cert for your guest portal. One thing that seems odd about your description is that your guests are being redirected to a sponsor portal. The guests should be redirected to a guest portal. You can have a certificate issued with a CN of guest.company.com<http://guest.company.com> and alternate subject names of your ISE PSN FQDNs and bind the certificate to your guest portal. Alternatively, you can do something like guest-01.company.com<http://guest-01.company.com> and guest-02.company.com<http://guest-02.company.com> and then bind that certificate to your ISE guest portals in ISE. If you want to use alternate hostnames you will need to use a second interface and leverage the “ip host” command from the CLI. Refer to https://communities.cisco.com/thread/66845?start=0&tstart=0. Unless something has changed, you cannot assign an alternate hostname to the primary ISE interface.

Having said all that, you could also use a wildcard cert if you feel like the cost and risks are worthwhile.

George

View solution in original post

7 Replies 7

gbekmezi-DD
Level 5
Level 5

I don’t think you’d need a wildcard cert for your guest portal. One thing that seems odd about your description is that your guests are being redirected to a sponsor portal. The guests should be redirected to a guest portal. You can have a certificate issued with a CN of guest.company.com<http://guest.company.com> and alternate subject names of your ISE PSN FQDNs and bind the certificate to your guest portal. Alternatively, you can do something like guest-01.company.com<http://guest-01.company.com> and guest-02.company.com<http://guest-02.company.com> and then bind that certificate to your ISE guest portals in ISE. If you want to use alternate hostnames you will need to use a second interface and leverage the “ip host” command from the CLI. Refer to https://communities.cisco.com/thread/66845?start=0&tstart=0. Unless something has changed, you cannot assign an alternate hostname to the primary ISE interface.

Having said all that, you could also use a wildcard cert if you feel like the cost and risks are worthwhile.

George

Just a small correction.  You don't need to use another interface to use alternate hostnames on your guest portal.  You need to use second interfaces only if you want ISE to automatically use those hostnames in the portal redirect.  You can use any hostnames you want using the static override option in the authorization profiles.

Say you have two PSNs you would create two redirect authorization profiles:

ISE1-Redirect has static redirect to guest1.mycompany.com

ISE2-Redirect has static redirect to guest2.mycompany.com

Then you use the Network Access->ISE Hostname in your authorization rules:

If ISE hostname equals ISE-1 then use ISE-1-Redirect authorization profile

If ISE hostname equals ISE-2 then use ISE-2-Redirect authorization profile

Thanks for that clarification Paul. I would generally want the redirection to be dynamic, but you certainly could make it more static and then use a single interface without the need for the ip hostname command right?

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

Yep if you use the static override you just need to have as many authorization rules as your ISE guest PSNs to get the traffic back to the PSN that authenticated the session.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Thanks for answering!

I made some changes, im now redirecting guests to the Guest portal, but they still have the trust issues, can i change the portal to HTTP instead so they dont have the trust issues?

Thanks

No you will need to get a trusted certificate

ISE portals don’t run via http

Thanks Jason, thats what i thought, since its using a subdomain of my company, i will get a wildcard certificate with godaddy or another company that sell the ssl certificates