Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
3
Helpful
7
Replies

Problem with sponsored guest portal and its certificate..

Go to solution
GustavoSepulvedaChapa
Level 1
Level 1

‎10-05-2017 06:05 PM

I have a problem using the sponsored guest portal.
My internal ise deployment is using a self signed certificate by our ca Server.    

The problem is that i have an open SSID for guests so when they arrive they open their browser and get redirected to the fqdn of the sponsored portal.

They get the "Untrusted website advertise" and i dont like that idea.(ssl problem).

So i was thinking on buying a wildcard ssl certificate from Godaddy to fix this issue, will it work?

What i understood is that they dont trust the website since they dont have the root cert on their devices, so if i configure a public ssl certificate we should get rid of this ssl problem, right?

Or what would be the best option?

Thanks

1 Accepted Solution

Accepted Solutions

Go to solution
gbekmezi-DD
Level 5
Level 5

‎10-05-2017 06:58 PM

I don’t think you’d need a wildcard cert for your guest portal. One thing that seems odd about your description is that your guests are being redirected to a sponsor portal. The guests should be redirected to a guest portal. You can have a certificate issued with a CN of guest.company.com<http://guest.company.com> and alternate subject names of your ISE PSN FQDNs and bind the certificate to your guest portal. Alternatively, you can do something like guest-01.company.com<http://guest-01.company.com> and guest-02.company.com<http://guest-02.company.com> and then bind that certificate to your ISE guest portals in ISE. If you want to use alternate hostnames you will need to use a second interface and leverage the “ip host” command from the CLI. Refer to https://communities.cisco.com/thread/66845?start=0&tstart=0. Unless something has changed, you cannot assign an alternate hostname to the primary ISE interface.

Having said all that, you could also use a wildcard cert if you feel like the cost and risks are worthwhile.

George

View solution in original post

0 Helpful
7 Replies 7

Go to solution
gbekmezi-DD
Level 5
Level 5

‎10-05-2017 06:58 PM

I don’t think you’d need a wildcard cert for your guest portal. One thing that seems odd about your description is that your guests are being redirected to a sponsor portal. The guests should be redirected to a guest portal. You can have a certificate issued with a CN of guest.company.com<http://guest.company.com> and alternate subject names of your ISE PSN FQDNs and bind the certificate to your guest portal. Alternatively, you can do something like guest-01.company.com<http://guest-01.company.com> and guest-02.company.com<http://guest-02.company.com> and then bind that certificate to your ISE guest portals in ISE. If you want to use alternate hostnames you will need to use a second interface and leverage the “ip host” command from the CLI. Refer to https://communities.cisco.com/thread/66845?start=0&tstart=0. Unless something has changed, you cannot assign an alternate hostname to the primary ISE interface.

Having said all that, you could also use a wildcard cert if you feel like the cost and risks are worthwhile.

George

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to gbekmezi-DD

‎10-05-2017 08:35 PM

Just a small correction.  You don't need to use another interface to use alternate hostnames on your guest portal.  You need to use second interfaces only if you want ISE to automatically use those hostnames in the portal redirect.  You can use any hostnames you want using the static override option in the authorization profiles.

Say you have two PSNs you would create two redirect authorization profiles:

ISE1-Redirect has static redirect to guest1.mycompany.com

ISE2-Redirect has static redirect to guest2.mycompany.com

Then you use the Network Access->ISE Hostname in your authorization rules:

If ISE hostname equals ISE-1 then use ISE-1-Redirect authorization profile

If ISE hostname equals ISE-2 then use ISE-2-Redirect authorization profile

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to paul

‎10-05-2017 09:35 PM

Thanks for that clarification Paul. I would generally want the redirection to be dynamic, but you certainly could make it more static and then use a single interface without the need for the ip hostname command right?

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to gbekmezi-DD

‎10-05-2017 09:53 PM

Yep if you use the static override you just need to have as many authorization rules as your ISE guest PSNs to get the traffic back to the PSN that authenticated the session.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
GustavoSepulvedaChapa
Level 1
Level 1

‎10-06-2017 07:45 AM

Thanks for answering!

I made some changes, im now redirecting guests to the Guest portal, but they still have the trust issues, can i change the portal to HTTP instead so they dont have the trust issues?

Thanks

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to GustavoSepulvedaChapa

‎10-06-2017 07:54 AM

No you will need to get a trusted certificate

ISE portals don’t run via http

Go to solution
GustavoSepulvedaChapa
Level 1
Level 1
In response to Jason Kunst

‎10-06-2017 08:07 AM

Thanks Jason, thats what i thought, since its using a subdomain of my company, i will get a wildcard certificate with godaddy or another company that sell the ssl certificates

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents