Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Guest Portal - untrusted certificate

All,

My ISE integration is on our local domain,for example  company.local. I created a rule in the authorization policy that used a static IP address, say guest.company.com for our guests to use for the redirection. When guests get the web auth redirection to guest.company.com they are getting the untrusted certificate.

I tried to import a certificate from our external CA, and faced errors because it didnt have the .company.local SAN. I did generate that with the CSR but my external CA doesnt give me an option to include this.

How is this rectified so our guests hit the web portal without getting a certificate error?

1 ACCEPTED SOLUTION

Accepted Solutions

Guest Portal - untrusted certificate

Hi Jason,

From my experience, this is a common problem.  Typically, what I do on deployments is obtain a trusted 3rd-party signed certificate for my HTTPS usage on the ISE appliances. If you want to use your internal CA certificate to authenticate EAP for your domain computers and other sessions,  you can still do so.

Note: Sometime in 2014 (it may already be active) the 3rd-party certificate signers are no longer going to allow .local or other internal domains on their certificates. 

With that said, I've normally been deploying the ISE appliances with an external domain name, example, ise.company.com rather than ise.company.local.  You can setup split DNS on your network to allow ise.company.com to resolve to your internal IP.

Hope this helps.

3 REPLIES
New Member

Re: Guest Portal - untrusted certificate

Has anyone encountered this? Should I change the nodes to company.com and use a external CA for http authentication?

Sent from Cisco Technical Support iPhone App

Guest Portal - untrusted certificate

Hi Jason,

From my experience, this is a common problem.  Typically, what I do on deployments is obtain a trusted 3rd-party signed certificate for my HTTPS usage on the ISE appliances. If you want to use your internal CA certificate to authenticate EAP for your domain computers and other sessions,  you can still do so.

Note: Sometime in 2014 (it may already be active) the 3rd-party certificate signers are no longer going to allow .local or other internal domains on their certificates. 

With that said, I've normally been deploying the ISE appliances with an external domain name, example, ise.company.com rather than ise.company.local.  You can setup split DNS on your network to allow ise.company.com to resolve to your internal IP.

Hope this helps.

New Member

Guest Portal - untrusted certificate

Thank you, yes I read that the external CAs will stop allow local domains on the certificates so I think its best to run company.com on our nodes and as we already have split DNS setup this works good.

I guess this is probably the best way to future proof the deployment.

226
Views
0
Helpful
3
Replies
CreatePlease login to create content