cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
471
Views
0
Helpful
2
Replies
Highlighted
Beginner

ISE 2.0 Cert Chain Android

I recently updated a couple certs on our ISE server. I applied the same cert to the default portal policy as well as EAP Authentication. We went from an OV cert to an EV cert which required an intermediate cert to be installed to the ISE server. I am not having any problems with anything except the Guest Portal on Android.

 

What is happening is the Certificate chain is not complete on the android devices. All laptops are listing it as valid cert as they are listing the root and intermediate certs. I can manually install the intermediate cert on my android devices and have it show as valid, however that should not be needed as it is installed on the ISE server.

 

On top of that problem, we are recieving the portal redirect page (connectivitycheck.gstatic.com) and no portal. The only way I have been able to get around this is by clicking "connect as is" and open chrome; I then navigate to "connectivitycheck.gstatic.com". Then I am redirected to the correct Guest Portal.

 

Any help is appreciated

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: ISE 2.0 Cert Chain Android

I believe your issue could possibly stem from the certificate issue you are facing. Does the redirect work after you manually install the intermediate certificate on the device? If so then I will point you to this known issue.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj04703/

Now as for the certificate issue you have. You are seeing a legitimate invalid certificate warning if the intermediate certificate is missing from Android. Having the root and intermediate installed on the ISE server only allows the ISE deployment to trust that certificate. The trust store on the device, in this case Android, has to have the complete certificate chain installed to trust the issuer, both root and any intermediates doing the signing.
2 REPLIES 2
VIP Engager

Re: ISE 2.0 Cert Chain Android

I believe your issue could possibly stem from the certificate issue you are facing. Does the redirect work after you manually install the intermediate certificate on the device? If so then I will point you to this known issue.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj04703/

Now as for the certificate issue you have. You are seeing a legitimate invalid certificate warning if the intermediate certificate is missing from Android. Having the root and intermediate installed on the ISE server only allows the ISE deployment to trust that certificate. The trust store on the device, in this case Android, has to have the complete certificate chain installed to trust the issuer, both root and any intermediates doing the signing.

Re: ISE 2.0 Cert Chain Android

Hi Matt

 

We're experiencing the exact same problem, though not limited to Android, but all devices that uses Google Chrome. The workaround, until we have found a prober solution, is to use other browsers than Google Chrome.

 

Best regards

 

Ditlev