Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
1
Helpful
4
Replies

Sponsor Portal redirect not working?

Go to solution
dizzyGER
Level 1
Level 1

‎10-24-2023 08:16 AM

Hello everyone, 

I haven't found this exact problem here yet, therefore I create a new topic. 

Environment:
Cisco ISE 3.3 - Hosted in Azure 2x PSN, 2x PAN/MnT
Every node has it's own server certificate from our internal CA.
In addition: One public certificate (DigiCert) for guests.company.com, sponsor.company.com and hotspot.company.com, shared on all nodes. 

The pubCert is assigned to a "Portal group tag" named "CompanyComPortals". 
This "Portal group tag" is used in the sponsor-portal, sponsored guest portal and hotspot portal. 
No access restrictions for user access (Admin>Admin Access>Settings>Access>User Services)

Problem description: 
I've created a sponsor portal for our future wifi solution. 

When I click on "Portal Test URL" i'll get a new tab with "hxxps://10.22.33.44:8453/sponsorportal/PortalSetup.action?portal=3d647c93-3560-4e04-a88e-7db7220f3bd2" - most people, especially not the assistants and secretaries, want's to remember IPs and ports. 

I've added "sponsor.company.com" as a FQDN in the portal settings and assigned a valid certificate to the portal group. 
DNS settings are set to the IP of my primary PSN. 

 

When i click "Portal test URL" now I'll only receive a new tab with "sponsor.company.com", without port and without "PortalSetup.action?...".

Multiple problems here:

a.1) I receive a certificate error message, because the requested URL "sponsor.company.com" isn't part of the presented certificate. The ISE presents the wrong certificate to me  - the one from the admin portal (internal CA), not from the guests/sponsor-portals(public CA). 
Major Problem: a.2If I manually accept the risk and proceed (holy, not that easy on fully company managed devices -.- ) I receive a valid looking redirect to something like "hxxps://sponsor.company.com:8453/sponsorportal/PortalSetup.action?portal=3d647c93-3560-4e04-a88e-7db7220f3bd2" - with the right public certificate - BUT it only contains an error message like "an error occured while accessing the website. please contact your helpdesk"., no matter what browser I use. 


b) If i directly open "hxxps://sponsor.company.com:8453" i get redirected to "hxxps://sponsor.company.com:8453/portal/" with a simple 404 - Ressource not found.


I could solve the problem a.1 by adding the sponsor.company.com as a SAN to the company certificate... If that's needed, okay - wont be a big problem. 
But why does my portal not work?  

If I can provide any more information, please ask - I'll answer as soon as possible!

Thank you in advance and kind regards,

dizzy

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dizzyGER
Level 1
Level 1

‎10-25-2023 07:15 AM

Hello everyone,

I found a solution for my problem:

As identity source for this sponsor portal I choose a SAML Id Provider. This SAML app wasn't configured yet.

After changing back to a local identity source, everything is working again. 

Next thing to do is creating the SAML app and re-check, but this topic can be closed by now. 

 

BTW: Thanks Greg, it was your guide (Azure AD SSO with multiple ISE Portals - Cisco Community) that pushed me in the right direction. Maybe I should have mentioned the SAML auth in my initial posting.  

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-24-2023 08:54 PM

This is expected behaviour due to how ISE uses redirection in the Sponsor Portal flow in order to support multiple portals. The following diagram illustrates the basic flow (using the default port 8445) when connecting to the Sponsor Portal.

Screenshot 2023-10-25 at 9.05.49 am.png

There are common methods to mitigate this behaviour, including:

1. Include the direct access portal URLs (sponsor.company.com, mydevices.company.com) in the SAN for the Admin cert. This is similar to Model 3 shown in How To Implement Digital Certificates in ISE.

2. Use Wildcard/WildSAN certificates that match both the PSN hostname FQDN and direct access portal FQDNs

Go to solution
dizzyGER
Level 1
Level 1

‎10-25-2023 12:36 AM

Hey Greg, 

thanks for the clarification! Our CA/PKI-Admins added the SANs (sponsor.company.com etc.) to the certificate and the pure redirect is working now.

But I still have the "major problem" with my portal.. Problem a.2.

 

dizzyGER_1-1698219265689.png

German for: "A problem occurred while accessing the website. Please contact the helpdesk."

 

Any idea what I can do here? 

0 Helpful

Go to solution
dizzyGER
Level 1
Level 1
In response to dizzyGER

‎10-25-2023 12:50 AM

Just changed the language of my sponsor portal to english, now I receive english error messages, too. 

dizzyGER_0-1698220184360.png

But this shows me, that it "tries" to reach my sponsor portal. 

0 Helpful

Go to solution
dizzyGER
Level 1
Level 1

‎10-25-2023 07:15 AM

Hello everyone,

I found a solution for my problem:

As identity source for this sponsor portal I choose a SAML Id Provider. This SAML app wasn't configured yet.

After changing back to a local identity source, everything is working again. 

Next thing to do is creating the SAML app and re-check, but this topic can be closed by now. 

 

BTW: Thanks Greg, it was your guide (Azure AD SSO with multiple ISE Portals - Cisco Community) that pushed me in the right direction. Maybe I should have mentioned the SAML auth in my initial posting.  

0 Helpful
Customers Also Viewed These Support Documents