Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
246
Views
1
Helpful
3
Replies

sponser certificate

mhm_ameen
Level 1
Level 1

‎01-20-2024 10:38 PM

HI,

we have two PSN and we bought 3rd party SAN certificate to be used for Portal , under SAN certificate we configure common CN name "ise.mydomain.com" and below SAN 

DNS=psn1.mydomain.com    (fqdn of PSN1)

DNS=psn2.mydomain.com    (fqdn of PSN2)

DNS=sponser.mydomin.com   (fqdn of PSN1)

DNS=ise.mydomain.com   (fqdn of PSN1)

then we install this certificate on first PSN and export and import it to second PSN as well, issue is that if we are browsing the sponsor portal by IP address its working but if we configure portal to use FQDN  sponser.mydomin.com

certificate error HSTS is showing . what i notice is that when certificate  HSTS error showing and click on certificate detail its using PAN admin certificate despite am using dedicated portal certificate. is this mean PAN admin certificate should include SAN for sponser.mydomin.com as well . if yes why since  my admin PAN certificate is internal CA and i want 3rd party certificate for my sponsor.

 

 

0 Helpful
3 Replies 3

Aref Alsouqi
VIP
VIP

‎01-21-2024 06:59 AM

Before you land into the sponsor portal the session will first go to the PAN, and then the PAN redirects that session to the sponsor portal. This is why you actually see two certificates presented if you inspect this flow, one would be the PAN cert and the other is the one you tied to the sponsor portal. I think this is a design decision on ISE.

Arne Bier
VIP
VIP
In response to Aref Alsouqi

‎01-21-2024 03:29 PM

This is correct. I always add the sponsor portal's FQDN into the PAN's Admin System Certificate SAN. It seems to be an illogical thing to do, because the Admin cert is for admin stuff, right ... not guest/sponsor portals.  But it's how ISE likes it. And luckily, we don't need a public signed cert for this - and internal signed cert from the organisation's internal CA is perfect for this role.

It's very unfortunate, and I think it's a bug/design flaw, that you cannot assign a Certificate Tag for the sponsor portal that uses its own certificate, which is independent of all other certificates (e.g. Admin, Guest Portals).  You can configure it, but it won't work.

Therefore, I combine the Roles of "Admin, Portal" in one certificate, that has a Certificate Tag of "Sponsor Portal" which I use on the Sponsor Portal config page. The SAN of this internal PKI certificate includes the PAN FQDNs for admin, and also the CNAME for the Sponsor Portal. This allows me to browse to my PANs and to the Sponsor Portal  CNAME (I use a CNAME that points to the A record of the currently active PSN - if this PSN were to fail, then I change the CNAME to point to another PSN's A record).

Guest portals have their own public cert and their own certificate tag as you would expect.

0 Helpful

MHM Cisco World
VIP
VIP

‎01-21-2024 07:07 AM

What is your NAD is it wlc ?

Are you use ise for guest?

MHM

0 Helpful
Customers Also Viewed These Support Documents