This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Is it absolutely necessary to redirect guests to a secure site for our wifi guest portal? Can we just avoid any client certificate issues by using a regular http url in the redirect? We are not authenticating guests in any way, just asking them to acknowledge an AUP.
Solved! Go to Solution.
If you do NOT need guest authentication at all. USE Hotspot Portal instead of Guest Portal. Hotspot portal only presents the AUP page and assigns those MAC address from the guest devices into an specific Endpoint Group.
I am assuming that your guest subnet is totally isolated from your production environment so only accepting the AUP would be enough.
The certificate applies for all the Portals. This certificate can be the self-signed by ISE or the customized you uploaded to the box. So you cannot avoid it.
I am indeed using whats labelled as the Hotspot Guest Portal (default).
We currently have it set up to redirect the client to and AUP page on a secure public fqdn. This works until a client doesn't recognize the root CA of our installed certificate. To avoid these issue which we cannot control, we thought about maybe not even using a secure site for the AUP. Is this possible?
OK thanks guys....
Then perhaps I did something wrong when I installed the new certificate. The complaints from our guests seem to have started after I installed the new cert.
Is there something else I should have done besides just installing the new cert to the appropriate ISE PSNs?
Everything seemed to be working fine with the old cert that was installed.
I suspect you probably missed the Subject Alternative Name on the new certificate so all the FQDN names for each node in the deployment was included into that cert.
I checked the cert and the SAN has the public FQDN listed, not the FQDNs of the ISE PSNs.
I experienced a lot of issues when I was playing with the public signed certs for the Portals. I had problems with the Certificate Portal Tag. Not sure if that is related to your issue. In any case, I have some questions:
-How did you upload the new cert into EACH node of the deployment using the Primary PAN IMPORT button?
-Is the new cert using the same CERTIFICATE PORTAL TAG or a New one?
-Are your portals pointing to the NEW CERTIFICATE PORTAL TAG if the old one was replaced?
-Are you using the same CA authority to sign the Portal Certificate or this is a new one?
-Could you post the Trusted Certificate store showing the old certificate and the new one?
I imported the cert from the Admin - System - Certficates - System Certificates page in the web console of ISE 2.1. I used the import button and imported the cert onto each of 3 PSNs that may host the portal (only one PSN hosts it currently). I did NOT install the cert on the PANs however as I didn't think it was needed, and I'm pretty sure the old cert wasn't installed there either.
The new cert is using the same Default Portal Certificate Group tag as the old cert did. I have removed the old expired cert from the system by the way. Here is what the current entry looks like on each PSN:
Although I don't remember for sure, I do believe this cert is from a different CA. I should add that I have also installed the CA's intermediate and root certificates under Trusted Certificates. The cert being used can be viewed on our website at https://www.hsnsudbury.ca
A snapshot of our Trusted cert store is provided below, with our internal CA info blacked out.
The old certificate was issued by GeoTrust DV SSL CA - G3 from GeoTrust Global CA
I hope this info is helpful.
Thanks very much for taking the time to assist.
I should also add that I was just reviewing this guide at https://communities.cisco.com/docs/DOC-68169 and I see where it says to issue a CSR from ISE in order to obatin the cert and then bind the cert to the CSR. I did not do this. Could this be my problem? I didn't do this with the old cert either.
The cert that is being used on ISE is the same one used for our website referenced in my previous post.
Is this a problem do you think??
Could you please edit the certificate for Portal and Post the CN. The screenshot that you posted before is something called FRIENDLY NAME and not necessarily is the CN value. The CN of that certificate should be for example Primary PAN hostname + domain and also have all the CN for each PSN node including sponsor portal and guest FQDN. See next.
For my guest portal vert only, the CN and SANs are shown below:
And the cert usage for the same cert is shown below:
Everything looks fine, but please check if each PSN's from Primary PAN --- > System Certificates ----------- > PSN Node --- > New Certificate (Used by = Portal, Portal Group Tag = Default Portal Certificate Group).
When the new certificate is added to the Primary PAN for the Portal USE with the default tag, it is not replicated to the rest. You have to manually add it to each node.