09-05-2023 08:27 AM
I have a wireless network built on a WLC running 5520 running 8.10.183.0 and an ISE server running 3.1.0.518. I have a Production network and a Guest Network. The Guest network has a captive portal where the guest will enter credentials to connect fully. The captive portal is an SSL page hosted by the ISE server. The issue I'm having is when an Apple iOS device connects to the guest network, they will show as connected on their device but have no internet access. This behavior, of course, is expected. The user should then access the captive portal by going to a web browser, where they should be redirected to our captive portal. Our issue is that when users open a web browser, they get an SSL certificate trust error. If the users accept to proceed, they will get the proper captive portal. As I mentioned, the captive portal is hosted by ISE when a privately signed certificate. I can't find where in ISE that certificate is installed. I also find it odd that an Android user does not get a certificate error when they go through the same motions. Currently, our workaround is to have iOS users go to http://neverssl.com.
I'm unsure if this is an iOS issue with how it handles captive portals or a cert issue I have on my ISE device. Any help would be greatly appreciated.
09-11-2023 11:48 AM
09-22-2023 02:52 AM
Hi ,
Usually, Endpoint browser will alert for untrusted/unsafe HTTPS/SSL connection to a server (ISE) as certificate trust error when the server (ISE system cert used for for guest portal) cert is not-trusted/not-validated by it (Client).
As shown in the below reference screenshot, figure out the system cert that is "Used by" "Portal" and check for the "Issued by" CA.
Check if the same cert is used for your Guest access by verifying the "Portal group Tag" mapped to respective guest portal (like "Self-Registered Guest Portal (default)) settings (Certificate group tag) under Workcenter>Guest Access>Portal & Components>Guest Portals.
Now, validate if the same CA (that issued a system cert to ISE server for Guest 'Portal') root cert is listed in Endpoint's (iOS) Trusted CAs.
The Android Endpoint might already have respective CA root cert as Trusted, resulting no certificate error.
-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------------------------
09-24-2023 12:46 PM
Do you have a certificate signed by public CA like certsign?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide