Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE - Guest portal Cert query

I have brief question regarding the Cisco ISE appliance and guest portal cert’s.

Ideally in my customer environment we want to hide our infrastructure hence the below...

Summary

  • Guest Web authentication is working through the controller and then passed onto the ISE server
  • The business would like to remove the ‘untrusted certification error’ that users are getting when they login
  • On the controller I can set the ‘FQDN’ via the virtual interface and apply/obtain a public cert for that name.

Challenge

  • Currently the ‘hostname’ of the ISE  server is ‘prod-net-ise01’  (that is the mgmt name of the device)
  • I can only seem to generate a cert for the ‘hostname’ of the device and that will not hide what it is..

Is it possible to apply a HTTP/HTTPS public cert on the ISE server with a FQDN that does not match the hostname?

i.e. similar to the way that the controller does it..

If not then what would the process be to change the ‘hostname’ of the ISE device, Can that only be done via the CLI?

Appreciate any help or pointing me in the right direction.

8 REPLIES
New Member

Cisco ISE - Guest portal Cert query

I just tried to use a wildcard certificate, and received the error message that the "Management certificate must contain host FQDN in CN component of Subject field."  This is a HUGE issue.  Currently, I can use wildcard certs on the WLCs without an issue.  And, I can import a separate one for web logins from the one used for management.  ISE really needs to have the ability to import a separate, non-"Management" certificate just used for "Guest" logins.  Not sure if that is part of the blueprint for ISE 1.2, but it needs to be.

New Member

Re: Cisco ISE - Guest portal Cert query

I am meeting a similar issue, which is for sponsor portal, not for guess portal, because we put guest portal on the WLC.

In ISE 1.1, an option for sponsor portal FQDN is found in the general options. However, it seems not working.

I've opened a TAC case, Cisco engineer said he turned to developer for further checking.

Hopefully it can be addressed in next week.

Sent from Cisco Technical Support iPhone App

New Member

Re: Cisco ISE - Guest portal Cert query

It's confirmed not supported in current version sadly.

We have to change the host name ...

Sent from Cisco Technical Support iPad App

New Member

Re: Cisco ISE - Guest portal Cert query

This last week at CiscoLive, I heard that there may be a workaround using Subject Alternate Names in the certificate.  Now, this is not something that can be done using the CSR from ISE.  I'm waiting for some documentation on the process, but I aat least have a little bit of hope.

New Member

Cisco ISE - Guest portal Cert query

Hi Jason,

If you got an update related to Subject Alternate Names could you post the information? I'm also interested in this functionality to fix the issue so that we can give the appliance multiple certificates with other domain names.

Regards,

Sander

New Member

Cisco ISE - Guest portal Cert query

New Member

Cisco ISE - Guest portal Cert query

I don't believe there's an easy way around this currently. The URL for the PSN is created dynamically and is always the real hostname of the PSN node. If you have the luxury of multiple appliances (or VMWare partitions) available, then you can have a couple of your PSN's dedicated for guest (and maybe sponsor) access. These can then be on separate (more covert) nostnames and even on separate domain so that guest users don't see your internal domain. For split domains you will need at least 1.1.1 patch 4 (unless you can use a DNS bodge which we have tested).

New Member

Cisco ISE - Guest portal Cert query

Hi Aman and Bikspace,

For the record: i have the documentation and the SAN field isn't resolving the issue for multple domain names. Altought you can specify other hostnames, it is still in the same domain suffix.

Like Bikespace mention: the solution for the problem can be resolved in this way.

Setup a Deployment for two ISE nodes. Take up a VM and built this for DMZ purpose. You can install a PSN with an other DNS suffix. As long as these domain names are resolvable in the DNS deployment it will work. I've build this and it works with 1.1.2 patch 2. I thought this would be a problem for the AD agent on the PSN with an other DNS suffix than the real Domain Controller in the Active Directory domain, but this isn't; it will work.

Extra tip: you can't register a 'real' certificate on a fake DNS name. So .local and .lan should be denied by your CA. So this solution above is the only solution for now. Also the problem lies in ISE. You can't install another certificate that is different than the hostname+suffix of the PSN node. I prefer that Cisco solve this issue like the behavior in Cisco ASA.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml

or on the same interface with differents ports! it shoudn't be so hard for Cisco to implement this.

5327
Views
0
Helpful
8
Replies
CreatePlease login to create content