Guest portal certificate on ise

ramesh rajendran · ‎11-05-2014

Background:

Customer don't have an internal DNS server. We are using the google DNS server, which doesn't resolve the internal guest ISE server name. Hence, we are directly using the ip-address in redirect URL and guest authentication portal.

Question:

Which certificate I need to use for the guest login portal to avoid the cert error. We tried ipaddress(10.1.1.1) in cert common name , Firefox showed cert error(invalid - for not matching-10.1.1.1:8443 ). Then, we tried DNS name as common name and IP address as subject alternate name. Most of the browsers worked fine. Internet explorer gave certificate error. Do you think of any other solution?

bhose · ‎11-05-2014

There are several things that need to be setup correctly for clients to see a certificate as valid.

1. The redirect needs to use a DNS name that the client can resolve

2. DNS name used above must be in the certificate as CN or a SAN

3. If the redirect uses a fully qualified domain name then this also needs to be in the certificate

4. Client needs to have the ROOT cert and any required intermediates in it certificate store.

Using IP address in the SAN should work but if you want to use a publicly signed cert on ISE then you cannot use IP address because the certificate authorities will no long support this.

You could try using 10.1.1.1:8443 in the SAN to see if this works but you will still need to ensure that the client device has the certificates ROOT and intermediates in its certificate store.

Hope this helps

Venkatesh Attuluri · ‎12-22-2014

check the following threads

https://supportforums.cisco.com/discussion/12085906/ise-domain-name-certificates-and-guest-portal