Solved: Re: Migrating to Cisco 9800 Certificate requirements when using ISE Portal

Garry Cooper · ‎02-04-2021

Currently we have an old 5508 wlc which is using ISE to authenticate guests.

I have updated the cert on ise, but am getting a certificate errors from the portal.

I remember somewhere that the same cert had to be installed on the wlc. is that correct. (me thinking wlc and acl need to match) so might be same for certs.

Also looking to migrate to 9800 controller would I have to install a cert on that box too, as I have setup a test for 9800, the redirection is working and I get the web redirect page but it does not show anything on the page.

Garry Cooper · ‎02-05-2021

Fixed the portal issue. it was a static route needed on the ise box.

Initially the traffic from the client would get pushed out of Gi0 so adding 172.17.232.0/22 172.17.248.1 eth1 pushed the traffic back to the firewall.

show ip route

10.0.253.0/24 0.0.0.0 eth0
172.17.232.0/22 172.17.248.1 eth1
172.17.248.0/22 0.0.0.0 eth1

View solution in original post

Jegan Rajappa · ‎02-04-2021

Are you using centralized web authentication (CWA)? in that case certificate is required only in ISE side.

Did you installed SSL certificate and assigned to ISE PSN node, you can check this by navigating to Administration -> System -> Certificated -> System certificates

you also need to call out certificate group tag by navigating to work centers -> Guest access -> portal * components -> Guest portal -> select your portal name -> Portal settings

Garry Cooper · ‎02-04-2021

Jegan.

The certificate has been updated on ISE and I have checked the settings you have suggested.

When the portal first pops up the url is msftconnectest.com this is using the ol cert that is installed on wlc, it then redirected to the correct portal we have setup on ise.

Hope that makes sense.

Scott Fella · ‎02-04-2021

If ISE is being used for the portal, then you don't need to install the cert on the WLC. The cert is installed on the system that host the web portal page. If the controller was hosting the web page, then the controller would need a certificate that is trusted by devices so that users will not see a certificate error. Just make sure your certificate does not have any errors and that the fqdn on the certificate does get resolved.

-Scott
*** Please rate helpful posts ***

Garry Cooper · ‎02-05-2021

Have done some more digging into this issue and found it could be routing.

So the client gets dhcp can resolve the fqdns for the portal, I get the pop up from the redirect, but no page shows.

Checked the firewall and found an issue with ISE routing. The ISE box is trying to route the traffic out of the lan interface not back down the interface the ise box has for the portal..

Gi0 10.0.253.9 LAN Interface

Gi1 172.17.248.31 DMZ interface on our firewall

Do I need a route on the ISE to route the traffic back. As never setup any routing on ise before.

See attached basic topology of traffic route.

Garry Cooper · ‎02-05-2021

Fixed the portal issue. it was a static route needed on the ise box.

Initially the traffic from the client would get pushed out of Gi0 so adding 172.17.232.0/22 172.17.248.1 eth1 pushed the traffic back to the firewall.

show ip route

10.0.253.0/24 0.0.0.0 eth0
172.17.232.0/22 172.17.248.1 eth1
172.17.248.0/22 0.0.0.0 eth1