Solved: Android clients failing SSL cert through captive portal

MP_Linc · ‎06-14-2019

I have an ISE 2.4 Patch 8 setup where I'm running 3 different captive portals which all use the same certificate. I have installed the root CA as well as both intermediates in the chain in my trusted store from AddTrust. My ssl cert that is placed for my cwa has 5 san fields which represent both ISE nodes DNS names as well as the DNS names of my web portals.

Now I've been having an issue specifically with Android clients in my environment correctly joining any of my two guest portals, they are bombarded with an SSL error that the cert is not valid, what I do is open the connection in a browser and I can see the DNS name at the top of the page I validate the cert and it's referencing the ISE box itself as if it's attempting to go against the cert I have appended to the admin login vs the portal login. For example my portal is specified as guest.domain.com:8540/[portal url] however when I view it in the browser I see the same URL but an invalid cert. If I choose to ignore the error and continue anyway, proceed to login and connect to the network, when I check the Wi-Fi connection settings for the SSID I'm attached to and click on the "manage router" field which redirects me to the FQDN of my portal I see that the certificate is valid and there is no issue.

So my question is this and if anyone has figured out the solution because I haven't found much help online thus far, why does Android not see the certificate when it first attempts to reach the portal but it does see the cert after it's already authenticated and has internet? When I'm using my iPhone to test against the portals I have no issue, no cert error or a mandatory trust that must be made to reach the captive portal. Is there something I'm missing between the Android not working vs the iPhone? Also this does work with a windows 10 machine as I also tested it in Internet Explorer to make sure it wasn't me going crazy.

hslai · ‎06-24-2019

Two things to check:

If only ISE 2.4 Patch 8 with this issue, then you could be hitting CSCvp75207
As your cert chain has AddTrust, it could be cross-signed and might have some compatibility issues for some use cases.

Additionally, you mentioned "... I validate the cert and it's referencing the ISE box itself as if it's attempting to go against the cert I have appended to the admin login vs the portal login. ..." If your deployment has a different certificate for ISE admin portals from that for ISE guest portals, it would be good to either perform a packet capture and verify that the address and port requested and the certificate chain sent from ISE to the clients.

If the above not helping at all, I would suggest you to check with Android support forum. Or, open a case with Cisco support and provide other detailed info, such as specific Android device makes and models and Android OS versions, in order to troubleshoot further.

View solution in original post

hslai · ‎06-24-2019

Two things to check:

If only ISE 2.4 Patch 8 with this issue, then you could be hitting CSCvp75207
As your cert chain has AddTrust, it could be cross-signed and might have some compatibility issues for some use cases.

Additionally, you mentioned "... I validate the cert and it's referencing the ISE box itself as if it's attempting to go against the cert I have appended to the admin login vs the portal login. ..." If your deployment has a different certificate for ISE admin portals from that for ISE guest portals, it would be good to either perform a packet capture and verify that the address and port requested and the certificate chain sent from ISE to the clients.

If the above not helping at all, I would suggest you to check with Android support forum. Or, open a case with Cisco support and provide other detailed info, such as specific Android device makes and models and Android OS versions, in order to troubleshoot further.