10-04-2018 03:55 AM
Hi all,
When sponsors try to access the sponsor portal via FQDN they are unable to access the site. It works if the use the full url https://helpmyguest.xxx.com:8550/sponsorportal/PortalSetup.action?portal=5b873480-ba69-11e8-ab53-1e43651b66b5
If I test the portal form within ISE the link fails, and I receive the certificate used on the admin page?
Solved! Go to Solution.
10-04-2018 04:41 AM
Wildcard is fine. I haven't read the guides in years, but I doubt this issue is called out. The issue you are seeing is really an unintended side effect of ISE supporting HSTS. If ISE didn't support HSTS then you could tell your sponsor to go to http://sponsor.mycompany.com and everything would work perfectly.
10-05-2018 01:39 AM
10-04-2018 04:11 AM
That is normal. If your sponsor portal certificate is not the same as the admin certificate then you are going to have issues with the sponsor portal FQDN. If the users go to http://<sponsor FQDN> it will work, but problem is ISE support HSTS and if the browser support HSTS even if they type in http:// it will get changed to https://. The certificate running on port 443 on the ISE node is the admin certificate. So you need to connect to admin side to get the URL redirect to the full sponsor URL on 8550.
Basically if you are trying to use sponsor FQDN you should be using the same certificate for the admin and sponsor portal cert then everything works fine.
10-04-2018 04:23 AM
10-04-2018 04:25 AM
Yep, your admin cert should have all the one-off type sites you plan to use in your ISE install. I usually do something like:
FQDN of all my ISE nodes
sponsor.mycompany.com
ise-bypass.mycompany.com (for the MyDevices portal I use to allow devices onto the network)
mydevices.mycompany.com (to allow for BYOD use cases)
10-04-2018 04:30 AM
10-04-2018 04:41 AM
Wildcard is fine. I haven't read the guides in years, but I doubt this issue is called out. The issue you are seeing is really an unintended side effect of ISE supporting HSTS. If ISE didn't support HSTS then you could tell your sponsor to go to http://sponsor.mycompany.com and everything would work perfectly.
10-05-2018 01:39 AM
05-24-2024 11:39 AM
Thank you Paul! We started getting HSTS errors with the portals on a new 3.x deployment. We neglected to check ADMIN on the PSN nodes for our signed cert. Admin (where the redirect happens) and the portal therefore were not using the same certificate.
Once we checked that both were using same, our HSTS issue was resolved. Hope this detail might help others.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide