07-19-2017 11:16 AM - edited 07-05-2021 07:22 AM
All
i recently renewed the certificate in my ISE running version 2.0.0.306 ADE-OS version 2.3.0187, before I had renewed it it worked fine until the cert expired. I was able to get the new one in and now when a guest tries to use the Guest wireless that guest is redirected to the
https://ISE:8443/portal/gateway/sessionid=
But it says the ISE refused to connect.
I have never worked with an ISE device before, so can anyone point me in the right direction?
01-16-2019 11:35 AM
01-16-2019 02:07 PM - edited 01-16-2019 02:07 PM
Could you please elaborate a little bit more about your issue. What ISE Version are you running?, How many PSN's you have, are you using load balancer?, Did you make any recent change?. With all those answers I could give you some help
01-16-2019 02:10 PM
I experienced an issue in the past when I changed the certificate that was used by the PORTALS/Guest SSID (CWA or LWA). It was related to a bug on ISE 2.2 and that's why I am asking you for more information. In any case, once you uploaded the new certificate and assigned it to the PORTAL pages, did you check that those PORTALS actually were using it?.
01-16-2019 02:23 PM - edited 01-16-2019 02:24 PM
We are running version 2.0.0.306 in a standalone environment. We had a cert that was applied to the EAP Authentication and Default portal certificate group that was expiring last week. I had purchased a globalsign EV cert that had the FQDN for the ISE server as well as a secondary FQDN for the guest portal.
After applying that cert, we began running into problems with android not containing the required intermediate cert for the EV SSL cert that we purchased. I then had an OV cert with the same set of FQDNs and I was going to migrate the EAP Authentication and Default portal certificate group to that new cert.
Once I migrated to the new cert the Guest Portal as well as the my devices portal were inaccessible. Upon further investigating I found that the port "8443" was no longer open on ISE. If I migrated back to the EV cert the portals are accessible, but the android portal redirect fails as they don't contain the intermediate cert.
I have tried deleting and importing the cert again as well as having ONLY the new OV cert installed with no luck.
Any help is appreciated!
TLDR: When applying the default portal certificate group to the OV cert, the portals become inaccessible.
01-16-2019 02:32 PM
01-16-2019 02:42 PM - edited 01-16-2019 02:49 PM
It probably is the "buggy" one haha. It has been a problem since I started here in August.
This is the 802.1x authentication on both our Wired and Wireless networks. It appears we are using Centralized Web Auth under the portal redirect.
I actually have an ISE 2.2.0.470 server that is spun up and is pending a few changes prior to migrating to that server. The biggest problem is migrating everything on campus over without impacting users.
Edit: Added that we are using CWA
01-16-2019 02:53 PM
From a wired laptop using a Chrome Browser, run a test on the GUEST Portal as indicated next from the ISE Node.
You should get a page like the following with an URL similar to this. Post the results.
https://ISE-PSN-IP:8443/portal/PortalSetup.action?portal=10be2e90-8001-11e5-b027-3440b5d4e810
01-16-2019 02:52 PM
After making the cert change, when you test the guest portal I receive "INET_E_RESOURCE_NOT_FOUND".
When attempting to connect to the guest network through the portal, I receive a "Connection Refused" error.
01-16-2019 02:55 PM - edited 01-16-2019 02:56 PM
Check my previous screenshots, I want to certify that using ISE IP instead of FQDN you can display the GUEST PORTAL. After posting the results, I would provide you more verification steps/screenshots
01-16-2019 02:59 PM
01-16-2019 03:01 PM
01-16-2019 03:03 PM - edited 01-16-2019 03:05 PM
When I open an SSH console to the ISE and do a "Show Ports", the port 8443 is no longer open when the portals are applied to this Cert.
01-16-2019 03:15 PM
Check my previous of the GUEST Portal, you will see port 8443. Compare with your GUEST Portal configuration.
01-16-2019 03:24 PM
No changes have been made.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: