01-12-2012 07:16 PM - edited 03-10-2019 06:43 PM
I have brief question regarding the Cisco ISE appliance and guest portal cert’s.
Ideally in my customer environment we want to hide our infrastructure hence the below...
Summary
Challenge
Is it possible to apply a HTTP/HTTPS public cert on the ISE server with a FQDN that does not match the hostname?
i.e. similar to the way that the controller does it..
If not then what would the process be to change the ‘hostname’ of the ISE device, Can that only be done via the CLI?
Appreciate any help or pointing me in the right direction.
05-23-2012 06:14 AM
I just tried to use a wildcard certificate, and received the error message that the "Management certificate must contain host FQDN in CN component of Subject field." This is a HUGE issue. Currently, I can use wildcard certs on the WLCs without an issue. And, I can import a separate one for web logins from the one used for management. ISE really needs to have the ability to import a separate, non-"Management" certificate just used for "Guest" logins. Not sure if that is part of the blueprint for ISE 1.2, but it needs to be.
06-03-2012 01:07 AM
I am meeting a similar issue, which is for sponsor portal, not for guess portal, because we put guest portal on the WLC.
In ISE 1.1, an option for sponsor portal FQDN is found in the general options. However, it seems not working.
I've opened a TAC case, Cisco engineer said he turned to developer for further checking.
Hopefully it can be addressed in next week.
Sent from Cisco Technical Support iPhone App
06-16-2012 09:36 PM
It's confirmed not supported in current version sadly.
We have to change the host name ...
Sent from Cisco Technical Support iPad App
06-17-2012 06:14 AM
This last week at CiscoLive, I heard that there may be a workaround using Subject Alternate Names in the certificate. Now, this is not something that can be done using the CSR from ISE. I'm waiting for some documentation on the process, but I aat least have a little bit of hope.
06-18-2012 02:50 AM
Hi Jason,
If you got an update related to Subject Alternate Names could you post the information? I'm also interested in this functionality to fix the issue so that we can give the appliance multiple certificates with other domain names.
Regards,
Sander
03-05-2013 02:25 PM
This question has been answered here:
http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bd0953.shtml
03-06-2013 03:11 AM
I don't believe there's an easy way around this currently. The URL for the PSN is created dynamically and is always the real hostname of the PSN node. If you have the luxury of multiple appliances (or VMWare partitions) available, then you can have a couple of your PSN's dedicated for guest (and maybe sponsor) access. These can then be on separate (more covert) nostnames and even on separate domain so that guest users don't see your internal domain. For split domains you will need at least 1.1.1 patch 4 (unless you can use a DNS bodge which we have tested).
03-07-2013 12:45 AM
Hi Aman and Bikspace,
For the record: i have the documentation and the SAN field isn't resolving the issue for multple domain names. Altought you can specify other hostnames, it is still in the same domain suffix.
Like Bikespace mention: the solution for the problem can be resolved in this way.
Setup a Deployment for two ISE nodes. Take up a VM and built this for DMZ purpose. You can install a PSN with an other DNS suffix. As long as these domain names are resolvable in the DNS deployment it will work. I've build this and it works with 1.1.2 patch 2. I thought this would be a problem for the AD agent on the PSN with an other DNS suffix than the real Domain Controller in the Active Directory domain, but this isn't; it will work.
Extra tip: you can't register a 'real' certificate on a fake DNS name. So .local and .lan should be denied by your CA. So this solution above is the only solution for now. Also the problem lies in ISE. You can't install another certificate that is different than the hostname+suffix of the PSN node. I prefer that Cisco solve this issue like the behavior in Cisco ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml
or on the same interface with differents ports! it shoudn't be so hard for Cisco to implement this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide