cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1536
Views
0
Helpful
3
Replies

SSL Captive Portal issues with Apple

custodn
Level 1
Level 1

I have a wireless network built on a WLC running 5520 running 8.10.183.0 and an ISE server running 3.1.0.518. I have a Production network and a Guest Network. The Guest network has a captive portal where the guest will enter credentials to connect fully. The captive portal is an SSL page hosted by the ISE server. The issue I'm having is when an Apple iOS device connects to the guest network, they will show as connected on their device but have no internet access. This behavior, of course, is expected. The user should then access the captive portal by going to a web browser, where they should be redirected to our captive portal. Our issue is that when users open a web browser, they get an SSL certificate trust error. If the users accept to proceed, they will get the proper captive portal. As I mentioned, the captive portal is hosted by ISE when a privately signed certificate. I can't find where in ISE that certificate is installed. I also find it odd that an Android user does not get a certificate error when they go through the same motions. Currently, our workaround is to have iOS users go to http://neverssl.com.

 

I'm unsure if this is an iOS issue with how it handles captive portals or a cert issue I have on my ISE device. Any help would be greatly appreciated.

3 Replies 3

The SSL certificate is installed in multiple locations in ISE depending on its intended use. These include:

1. **Admin Role**: This certificate secures all communication over port 443 for the Admin GUI, as well as for replication and other unspecified ports. It's used to secure communication between administrators and ISE.

2. **Portal Role**: This certificate secures HTTP communication over various portals in ISE, such as the Centralized Web Authentication (CWA) Portal, Guest Portal, BYOD Portal, and others.

3. **EAP Role**: This certificate is used for 802.1x authentication. It is presented to clients during the authentication process and used to establish a secure channel for credential exchange.

4. **RADIUS DTLS Role**: This certificate encrypts RADIUS traffic between a Network Access Device (NAD) and ISE using DTLS (TLS over UDP).

5. **SAML Role**: This certificate secures communication between ISE and the SAML Identity Provider (IdP).

6. **ISE Messaging Service**: Used for encryption in the ISE Messaging Service, which is used for log data.

7. **PxGrid Role**: This certificate is used for PxGrid services in ISE.

The SSL certificate trust error on the captive portal for iOS devices could be due to several reasons:

- Ensure the portal certificate visible on the browser is what was expected and has been configured on ISE for the portal.

- Verify access to the portal is via the fully qualified domain name (FQDN). If the IP address is used, make sure that both the FQDN and IP address are included in the Subject Alternative Name (SAN) field of the certificate.

- Check that the portal certificate chain, including the ISE portal certificate, intermediate CA certificates, and root CA certificates, is imported and trusted by the client’s OS or browser software. Some devices and browsers have strict security expectations for certificates, so ensure the certificates meet those requirements.

- Check if the portal and intermediate CA certificates are using SHA-256 hashing algorithm. Some newer versions of iOS, Android OS, and Chrome/Firefox browsers may refuse to connect if the certificates use a less secure algorithm.

If these steps do not resolve the SSL certificate trust error, review the certificate configuration on ISE and ensure that the certificates are correctly installed and trusted by the client devices.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

sureshot
Cisco Employee
Cisco Employee

Hi , 

 

Usually, Endpoint browser will alert for untrusted/unsafe HTTPS/SSL connection to a server (ISE) as certificate trust error when the server (ISE system cert used for for guest portal) cert is not-trusted/not-validated by it (Client).

As shown in the below reference screenshot, figure out the system cert that is "Used by" "Portal" and check for the "Issued by" CA.

 


Check if the same cert is used for your Guest access by verifying the "Portal group Tag" mapped to respective guest portal (like "Self-Registered Guest Portal (default)) settings (Certificate group tag) under Workcenter>Guest Access>Portal & Components>Guest Portals.

Now, validate if the same CA (that issued a system cert to ISE server for Guest 'Portal') root cert is listed in Endpoint's (iOS) Trusted CAs.

The Android Endpoint might already have respective CA root cert as Trusted, resulting no certificate error. 

 

-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------------------------

LC.IT
Level 1
Level 1

Do you have a certificate signed by public CA like certsign?

Review Cisco Networking for a $25 gift card