Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6079
Views
0
Helpful
8
Replies

Cisco ISE - Guest portal Cert query

DanWeinstock909
Level 1
Level 1

‎01-12-2012 07:16 PM - edited ‎03-10-2019 06:43 PM

I have brief question regarding the Cisco ISE appliance and guest portal cert’s.

Ideally in my customer environment we want to hide our infrastructure hence the below...

Summary

  • Guest Web authentication is working through the controller and then passed onto the ISE server
  • The business would like to remove the ‘untrusted certification error’ that users are getting when they login
  • On the controller I can set the ‘FQDN’ via the virtual interface and apply/obtain a public cert for that name.

Challenge

  • Currently the ‘hostname’ of the ISE  server is ‘prod-net-ise01’  (that is the mgmt name of the device)
  • I can only seem to generate a cert for the ‘hostname’ of the device and that will not hide what it is..

Is it possible to apply a HTTP/HTTPS public cert on the ISE server with a FQDN that does not match the hostname?

i.e. similar to the way that the controller does it..

If not then what would the process be to change the ‘hostname’ of the ISE device, Can that only be done via the CLI?

Appreciate any help or pointing me in the right direction.

Labels:
0 Helpful
8 Replies 8

JASON BOYERS
Level 5
Level 5

‎05-23-2012 06:14 AM

I just tried to use a wildcard certificate, and received the error message that the "Management certificate must contain host FQDN in CN component of Subject field."  This is a HUGE issue.  Currently, I can use wildcard certs on the WLCs without an issue.  And, I can import a separate one for web logins from the one used for management.  ISE really needs to have the ability to import a separate, non-"Management" certificate just used for "Guest" logins.  Not sure if that is part of the blueprint for ISE 1.2, but it needs to be.

0 Helpful

surzn
Level 1
Level 1

‎06-03-2012 01:07 AM

I am meeting a similar issue, which is for sponsor portal, not for guess portal, because we put guest portal on the WLC.

In ISE 1.1, an option for sponsor portal FQDN is found in the general options. However, it seems not working.

I've opened a TAC case, Cisco engineer said he turned to developer for further checking.

Hopefully it can be addressed in next week.

Sent from Cisco Technical Support iPhone App

0 Helpful

surzn
Level 1
Level 1
In response to surzn

‎06-16-2012 09:36 PM

It's confirmed not supported in current version sadly.

We have to change the host name ...

Sent from Cisco Technical Support iPad App

0 Helpful

JASON BOYERS
Level 5
Level 5
In response to surzn

‎06-17-2012 06:14 AM

This last week at CiscoLive, I heard that there may be a workaround using Subject Alternate Names in the certificate.  Now, this is not something that can be done using the CSR from ISE.  I'm waiting for some documentation on the process, but I aat least have a little bit of hope.

0 Helpful

S M85
Level 4
Level 4
In response to JASON BOYERS

‎06-18-2012 02:50 AM

Hi Jason,

If you got an update related to Subject Alternate Names could you post the information? I'm also interested in this functionality to fix the issue so that we can give the appliance multiple certificates with other domain names.

Regards,

Sander

0 Helpful

aman.diwakar
Level 1
Level 1

‎03-05-2013 02:25 PM

This question has been answered here:

http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bd0953.shtml

0 Helpful

bikespace
Level 1
Level 1

‎03-06-2013 03:11 AM

I don't believe there's an easy way around this currently. The URL for the PSN is created dynamically and is always the real hostname of the PSN node. If you have the luxury of multiple appliances (or VMWare partitions) available, then you can have a couple of your PSN's dedicated for guest (and maybe sponsor) access. These can then be on separate (more covert) nostnames and even on separate domain so that guest users don't see your internal domain. For split domains you will need at least 1.1.1 patch 4 (unless you can use a DNS bodge which we have tested).

0 Helpful

S M85
Level 4
Level 4
In response to bikespace

‎03-07-2013 12:45 AM

Hi Aman and Bikspace,

For the record: i have the documentation and the SAN field isn't resolving the issue for multple domain names. Altought you can specify other hostnames, it is still in the same domain suffix.

Like Bikespace mention: the solution for the problem can be resolved in this way.

Setup a Deployment for two ISE nodes. Take up a VM and built this for DMZ purpose. You can install a PSN with an other DNS suffix. As long as these domain names are resolvable in the DNS deployment it will work. I've build this and it works with 1.1.2 patch 2. I thought this would be a problem for the AD agent on the PSN with an other DNS suffix than the real Domain Controller in the Active Directory domain, but this isn't; it will work.

Extra tip: you can't register a 'real' certificate on a fake DNS name. So .local and .lan should be denied by your CA. So this solution above is the only solution for now. Also the problem lies in ISE. You can't install another certificate that is different than the hostname+suffix of the PSN node. I prefer that Cisco solve this issue like the behavior in Cisco ASA.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml

or on the same interface with differents ports! it shoudn't be so hard for Cisco to implement this.

0 Helpful
Customers Also Viewed These Support Documents