Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ISE Domain Issue

Davion Stewart
Level 1
Level 1

‎04-16-2020 11:22 AM

Good day, 

 

Requirement: Public certificate needed for use with ISE guest portal to be able to securely authenticate users outside of the enterprise. This is so that users can trust the portal page and not get certificate errors and other issues associated with using an untrusted certificate. 

 

Setup: ISE 2.1 being used with WLC 5520 8.5 code. CWA being used between the ISE and WLC. Users go through Guest SSID and get redirected to Guest portal. 

Internal users authenticate to ISE using 802.1X (EAP-PEAP)

 

Problem:

The internal domain is mycompany.com. ISE has joined this domain. Internal users are on this domain. The external domain is exmycompany.com

Unfortunately, the internal domain has already been taken by another organisation. 

Therefore if we try generating a CSR from ISE, it uses the FQDN of ISE which uses the internal domain and therefore the domain (and by extension the certificate) cannot be verified.

A solution is required where we can authenticate both internal and external users securely.

 

Question:

Using an application like OpenSSL to create a CSR using the domain as exmycompany.com and any other required SAN names:

1. Once the necessary DNS zone is created on the domain controller for exmycompany.com to reflect the required domain names, can be uploaded to ISE System Certificate store and selected for only Portal Management even though the ISE is in a different domain?

2. Once this is done, can an Authorization Profile be configured to send the redirect URL as ISE.exmycompany.com using the static ip/host option?

 

Therefore, in the end what is required is that when the user connects to the SSID and is redirected, the ISE will send the redirect URL as ISE.exmycompany.com and then when the guest user device is validating the certificate, it will confirm that the URL is valid based on the trusted cert. The name will be resolved in DNS and take you to the ISE portal page.

Internal users will use the internal cert signed via the enterprise's internal CA which uses the mycompany.com domain. The internal cert will be assigned to all other ISE services required. (Admin, EAP authentication).

 

Let me know if this is possible or any plausible solutions, 

 

Thanks

1 person had this problem
0 Helpful
Who Me Too'd this topic