Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3159
Views
0
Helpful
1
Replies

Cisco ISE Guest Portal and certificate public

ivan.martin
Level 1
Level 1

‎03-14-2018 09:50 PM - edited ‎02-21-2020 10:48 AM

Hi my name is Ivan, 

I have a guest service por auto register for guest users in wired and wireless access. My customer needs to install a certificate public (digicert) into the web page of guest portal. When i try to install this certificate like a tag certificate to associate the tag with guest portal, all the device android show an error in the certificate:  "Untrusted Certificate"

The web page of the redirection names: https://portalguest.mydomain.com;8443,

I have a deployment distribuited, and my psn's name is psn.mydomain.com

In the result of authorization show: https://portalguest.mydomain.com;8443

 

And the csr of the certificate is: https://portalguest.mydomain.com;8443,

 

My question is: Does i should change the name of the portal service for psn.mydomain.com to avoid any issues in the redirection and the certificates?

 

Thank you for your answer.

 

Regards,

Labels:
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎03-14-2018 10:19 PM

Hi Ivan

 

How many PSN's do you have that are running the Session Services (i.e. Radius&WebAuth) ?

 

Can you double check the public cert you received?  You can run it through openssl

openssl x509 -in yourcertfile.pem -text

 

And then look at the Subject and SAN fields.  If you have more than one PSN, you can do one of two things

1) if you don't have a load balancer and you can expect two or more PSN's will reply to the web auth request, then put the server's FQDN hostname into the SAN field as a DNS entry.  e.g.
DNS: psn1.mydomain.com

DNS: psn2.mydomain.com

And then the Subject CN is actually ignored and irrelevant.  Browsers will always look at the SAN if present, and then ignore the Subject CN.

2) If you have a load balancer, then you can configure ISE to hard code the FQDN that is returned during the Authorization Profile web redirection.  There is a checkbox called "Static IP/Hostname/FQDN"  You will enter portalguest.mydomain.com

And now, every PSN will return the same FQDN in the redirection string. And now also, your cert only needs to contain the portalguest.mydomain.com in the Subject/SAN field.  It is also cheaper, because CA's charge extra to append the SAN entries (in most cases). 

But the load balancer approach is more complex.  For a complete deep dive on this see Craig Hyps CiscoLive session called BRKSEC-3699 - it's an amazing treasure trove of facts.  Get the large PDF versin (500 pages or more)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents