cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2054
Views
15
Helpful
14
Replies
Participant

ISE 2.1 guest portal - certificate required???

Is it absolutely necessary to redirect guests to a secure site for our wifi guest portal?  Can we just avoid any client certificate issues by using a regular http url in the redirect?  We are not authenticating guests in any way, just asking them to acknowledge an AUP.

 

Thanks.

 

John

1 ACCEPTED SOLUTION

Accepted Solutions
ajc Frequent Contributor
Frequent Contributor

Re: ISE 2.1 guest portal - certificate required???

What CA signed your hotspot portal cert?. I do not think you can do something because the hotspot portal is HTTPS mandatory which requires a certificate group tag.

View solution in original post

14 REPLIES 14
ajc Frequent Contributor
Frequent Contributor

Re: ISE 2.1 guest portal - certificate required???

If you do NOT need guest authentication at all. USE Hotspot Portal instead of Guest Portal. Hotspot portal only presents the AUP page and assigns those MAC address from the guest devices into an specific Endpoint Group.

 

I am assuming that your guest subnet is totally isolated from your production environment so only accepting the AUP would be enough.

 

The certificate applies for all the Portals. This certificate can be the self-signed by ISE or the customized you uploaded to the box. So you cannot avoid it.

Participant

Re: ISE 2.1 guest portal - certificate required???

Thanks Abraham.

 

I am indeed using whats labelled as the Hotspot Guest Portal (default).

 

We currently have it set up to redirect the client to and AUP page on a secure public fqdn.  This works until a client doesn't recognize the root CA of our installed certificate.  To avoid these issue which we cannot control, we thought about maybe not even using a secure site for the AUP.  Is this possible?

ajc Frequent Contributor
Frequent Contributor

Re: ISE 2.1 guest portal - certificate required???

What CA signed your hotspot portal cert?. I do not think you can do something because the hotspot portal is HTTPS mandatory which requires a certificate group tag.

View solution in original post

Participant

Re: ISE 2.1 guest portal - certificate required???

The cert we are using on the portal was issued by GeoTrust RSA CA 2018.

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ISE 2.1 guest portal - certificate required???

Hi,
GeoTrust is a public CA, so should be trusted by the majority of browsers. Is the FQDN/CN of the certificate correct? is that the issue here?

As Abraham previously mentioned, I don't believe you can use the portal without a certificate.
Participant

Re: ISE 2.1 guest portal - certificate required???

OK thanks guys....

Then perhaps I did something wrong when I installed the new certificate.  The complaints from our guests seem to have started after I installed the new cert.

Is there something else I should have done besides just installing the new cert to the appropriate ISE PSNs?

Everything seemed to be working fine with the old cert that was installed.

 

Thanks.

 

John

ajc Frequent Contributor
Frequent Contributor

Re: ISE 2.1 guest portal - certificate required???

I suspect you probably missed the Subject Alternative Name on the new certificate so all the FQDN names for each node in the deployment was included into that cert.

Participant

Re: ISE 2.1 guest portal - certificate required???

Thanks Abraham,

 

I checked the cert and the SAN has the public FQDN listed, not the FQDNs of the ISE PSNs.

 

 
Actually, looking at this more, I think the certs are installed and working correctly.  I am troubleshooting with a older Google Nexus 6 phone running Android 7.1.1.
When it first detects our guest wifi, it prompts "Sign in to Wi-Fi Network".  When I click that, it does captive portal detection check and then complains that there is something wrong with our site's security. Note that this is not done within Chrome, it is some other app with browsing capabilities.  The URL at the top of the window being referenced is our public fqdn as expected.  When I click to continue with web browser, Chrome launches our AUP page correctly and recognizes the certificate without issue. From here I accept the AUP and am able to connect to the wifi.
 
For whatever reason, that captive portal detection app does not like our site cert, and yet Chrome does.  I guess there is nothing we can do on the ISE side of things to correct this issue... would you concur?

Thanks.
 
John
ajc Frequent Contributor
Frequent Contributor

Re: ISE 2.1 guest portal - certificate required???

Hi John,

 

I experienced a lot of issues when I was playing with the public signed certs for the Portals. I had problems with the Certificate Portal Tag. Not sure if that is related to your issue. In any case, I have some questions:

 

-How did you upload the new cert into EACH node of the deployment using the Primary PAN IMPORT button?

-Is the new cert using the same CERTIFICATE PORTAL TAG or a New one?

-Are your portals pointing to the NEW CERTIFICATE PORTAL TAG if the old one was replaced?

-Are you using the same CA authority to sign the Portal Certificate or this is a new one?

-Could you post the Trusted Certificate store showing the old certificate and the new one?

 

thanks

 

 

Highlighted
Participant

Re: ISE 2.1 guest portal - certificate required???

Hi Abraham,

 

I imported the cert from the Admin - System - Certficates - System Certificates page in the web console of ISE 2.1.  I used the import button and imported the cert onto each of 3 PSNs that may host the portal (only one PSN hosts it currently).  I did NOT install the cert on the PANs however as I didn't think it was needed, and I'm pretty sure the old cert wasn't installed there either.

 

The new cert is using the same Default Portal Certificate Group tag as the old cert did.  I have removed the old expired cert from the system by the way.  Here is what the current entry looks like on each PSN:

CertEntry.PNG

Although I don't remember for sure, I do believe this cert is from a different CA.  I should add that I have also installed the CA's intermediate and root certificates under Trusted Certificates.  The cert being used can be viewed on our website at https://www.hsnsudbury.ca 

 

A snapshot of our Trusted cert store is provided below, with our internal CA info blacked out.

TrustedStore.PNG

The old certificate was issued by GeoTrust DV SSL CA - G3 from GeoTrust Global CA

I hope this info is helpful.

 

Thanks very much for taking the time to assist.

 

John

Participant

Re: ISE 2.1 guest portal - certificate required???

I should also add that I was just reviewing this guide at https://communities.cisco.com/docs/DOC-68169 and I see where it says to issue a CSR from ISE in order to obatin the cert and then bind the cert to the CSR.  I did not do this.  Could this be my problem?  I didn't do this with the old cert either.

The cert that is being used on ISE is the same one used for our website referenced in my previous post.

Is this a problem do you think??

 

Thanks.

 

John

ajc Frequent Contributor
Frequent Contributor

Re: ISE 2.1 guest portal - certificate required???

Hi John,

 

Could you please edit the certificate for Portal and Post the CN. The screenshot that you posted before is something called FRIENDLY NAME and not necessarily is the CN value. The CN of that certificate should be for example Primary PAN hostname + domain and also have all the CN for each PSN node including sponsor portal and guest FQDN. See next.

 

portalcert.pngportalcert1.png

 

 

 

 

Participant

Re: ISE 2.1 guest portal - certificate required???

For my guest portal vert only, the CN and SANs are shown below:

CN SAN.PNG

And the cert usage for the same cert is shown below:

Cert Usage.PNG

ajc Frequent Contributor
Frequent Contributor

Re: ISE 2.1 guest portal - certificate required???

Everything looks fine, but please check if each PSN's from Primary PAN --- > System Certificates  ----------- >  PSN Node --- > New Certificate (Used by = Portal, Portal Group Tag = Default Portal Certificate Group). 

 

When the new certificate is added to the Primary PAN for the Portal USE with the default tag, it is not replicated to the rest. You have to manually add it to each node.