cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9029
Views
10
Helpful
19
Replies

ISE Guest Authorization page not displaying

scottcummins
Level 1
Level 1

All

i recently renewed the certificate in my ISE running version 2.0.0.306  ADE-OS version 2.3.0187, before I had renewed it it worked fine until the cert expired. I was able to get the new one in and now when a guest tries to use the Guest wireless that guest is redirected to the

https://ISE:8443/portal/gateway/sessionid=

But it says the ISE refused to connect.

I have never worked with an ISE device before, so can anyone point me in the right direction?

19 Replies 19

MattD2010
Level 1
Level 1
I know that this is an old post, but I am having the same problem. Has there been a resolution to this?

Could you please elaborate a little bit more about your issue. What ISE Version are you running?, How many PSN's you have, are you using load balancer?, Did you make any recent change?. With all those answers I could give you some help

I experienced an issue in the past when I changed the certificate that was used by the PORTALS/Guest SSID (CWA or LWA). It was related to a bug on ISE 2.2 and that's why I am asking you for more information. In any case, once you uploaded the new certificate and assigned it to the PORTAL pages, did you check that those PORTALS actually were using it?.

We are running version 2.0.0.306 in a standalone environment. We had a cert that was applied to the EAP Authentication and Default portal certificate group that was expiring last week. I had purchased a globalsign EV cert that had the FQDN for the ISE server as well as a secondary FQDN for the guest portal. 

After applying that cert, we began running into problems with android not containing the required intermediate cert for the EV SSL cert that we purchased. I then had an OV cert with the same set of FQDNs and I was going to migrate the EAP Authentication and Default portal certificate group to that new cert.

 

Once I migrated to the new cert the Guest Portal as well as the my devices portal were inaccessible. Upon further investigating I found that the port "8443" was no longer open on ISE. If I migrated back to the EV cert the portals are accessible, but the android portal redirect fails as they don't contain the intermediate cert.

 

I have tried deleting and importing the cert again as well as having ONLY the new OV cert installed with no luck.

 

Any help is appreciated!

 

TLDR: When applying the default portal certificate group to the OV cert, the portals become inaccessible.

If I am not wrong the version you are running is a buggy one. I would eventually move into at least 2.2 patch 9. In any case I still need more info. Let me provide you some screenshots for testing. QUESTION: Are you using CWA or LWA?. Is this a WIRELESS Network, right?

It probably is the "buggy" one haha. It has been a problem since I started here in August. 

This is the 802.1x authentication on both our Wired and Wireless networks. It appears we are using Centralized Web Auth under the portal redirect.

 

I actually have an ISE 2.2.0.470 server that is spun up and is pending a few changes prior to migrating to that server. The biggest problem is migrating everything on campus over without impacting users.

 

Edit: Added that we are using CWA

From a wired laptop using a Chrome Browser, run a test on the GUEST Portal as indicated next from the ISE Node.

 

ISEPIC2.png

 

 

You should get a page like the following with an URL similar to this. Post the results.

 

https://ISE-PSN-IP:8443/portal/PortalSetup.action?portal=10be2e90-8001-11e5-b027-3440b5d4e810

 

ISEPIC4.png

 

 

 

 

 

 

 

 

 

 

 

After making the cert change, when you test the guest portal I receive "INET_E_RESOURCE_NOT_FOUND".

When attempting to connect to the guest network through the portal, I receive a "Connection Refused" error.

Check my previous screenshots, I want to certify that using ISE IP instead of FQDN you can display the GUEST PORTAL. After posting the results, I would provide you more verification steps/screenshots

The result I get is below...IP address has been removed for security.

https://x.x.x.x:8443/portal/PortalSetup.action?portal=a7054590-819c-11e5-97a5-000c299c31b4

Is the PORTAL properly displayed as my screenshot example

ISEGuestPortal.JPGWhen I open an SSH console to the ISE and do a "Show Ports", the port 8443 is no longer open when the portals are applied to this Cert.

Check my previous of the GUEST Portal, you will see port 8443. Compare with your GUEST Portal configuration.

 

 

No changes have been made.

GuestPortalConfig.JPG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: