Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2214
Views
0
Helpful
3
Replies

Guest Portal - untrusted certificate

Go to solution
jasonsalomons
Level 1
Level 1

‎02-07-2014 07:47 PM - edited ‎03-10-2019 09:22 PM

All,

My ISE integration is on our local domain,for example  company.local. I created a rule in the authorization policy that used a static IP address, say guest.company.com for our guests to use for the redirection. When guests get the web auth redirection to guest.company.com they are getting the untrusted certificate.

I tried to import a certificate from our external CA, and faced errors because it didnt have the .company.local SAN. I did generate that with the CSR but my external CA doesnt give me an option to include this.

How is this rectified so our guests hit the web portal without getting a certificate error?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight
In response to jasonsalomons

‎02-09-2014 08:51 PM

Hi Jason,

From my experience, this is a common problem.  Typically, what I do on deployments is obtain a trusted 3rd-party signed certificate for my HTTPS usage on the ISE appliances. If you want to use your internal CA certificate to authenticate EAP for your domain computers and other sessions,  you can still do so.

Note: Sometime in 2014 (it may already be active) the 3rd-party certificate signers are no longer going to allow .local or other internal domains on their certificates. 

With that said, I've normally been deploying the ISE appliances with an external domain name, example, ise.company.com rather than ise.company.local.  You can setup split DNS on your network to allow ise.company.com to resolve to your internal IP.

Hope this helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jasonsalomons
Level 1
Level 1

‎02-08-2014 03:50 PM

Has anyone encountered this? Should I change the nodes to company.com and use a external CA for http authentication?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
jj27
Spotlight
Spotlight
In response to jasonsalomons

‎02-09-2014 08:51 PM

Hi Jason,

From my experience, this is a common problem.  Typically, what I do on deployments is obtain a trusted 3rd-party signed certificate for my HTTPS usage on the ISE appliances. If you want to use your internal CA certificate to authenticate EAP for your domain computers and other sessions,  you can still do so.

Note: Sometime in 2014 (it may already be active) the 3rd-party certificate signers are no longer going to allow .local or other internal domains on their certificates. 

With that said, I've normally been deploying the ISE appliances with an external domain name, example, ise.company.com rather than ise.company.local.  You can setup split DNS on your network to allow ise.company.com to resolve to your internal IP.

Hope this helps.

0 Helpful

Go to solution
jasonsalomons
Level 1
Level 1
In response to jj27

‎02-09-2014 09:02 PM

Thank you, yes I read that the external CAs will stop allow local domains on the certificates so I think its best to run company.com on our nodes and as we already have split DNS setup this works good.

I guess this is probably the best way to future proof the deployment.

0 Helpful
Customers Also Viewed These Support Documents