Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1016
Views
0
Helpful
6
Replies

Cannot access ISE GUI or My Devices portal via FDQN.

Go to solution
pacavell
Cisco Employee
Cisco Employee

‎11-09-2018 03:35 PM

In my single node ISE 2.4 lab I have the FQDN for ISE defined as sda-ise.gsps-sda.com. The FQDN I have configured in the My Devices portal is mydevices.gsps-sda.com. From my Win10 host I can successfully ping ISE via both FQDN's. However I cannot access ISE via either FQDN when I use a browser (Chrome, Firefox, Edge). I've checked the ISE self signed cert  used for admin and portal access and it looks fine (Subject CN = sda-ise.gsps-sda.com, Issuer = sda-ise.gsps-sda.com). As a test I telnetted to sda-ise.gsps-sda.com using ports 443 and 8443 and both seemed to connect. Nslookup run from my Win10 host also resolves the FQDN's.

 

Any ideas about what could be happening here?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to pacavell

‎11-09-2018 04:09 PM

Did you check that DNS server has entries that can resolve the FQDN? Also the certificate needs to include the FQDN in the SAN

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#ID432

View solution in original post

0 Helpful

Go to solution
pacavell
Cisco Employee
Cisco Employee
In response to Surendra

‎11-10-2018 09:28 AM

Problem solved. Needed to add exception for lab domain in client browser. Thanks for the guidance.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
pacavell
Cisco Employee
Cisco Employee

‎11-09-2018 03:44 PM

When I say i cannot access ISE via my browser with an FQDN I mean it seems to be unable to resolve the name and cannot find the host. It does not come back with the typical SSL warning about a cert signed by an unknown CA.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to pacavell

‎11-09-2018 04:09 PM

Did you check that DNS server has entries that can resolve the FQDN? Also the certificate needs to include the FQDN in the SAN

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#ID432
0 Helpful

Go to solution
pacavell
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎11-09-2018 05:10 PM

The SAN is empty but the CN matches the FQDN. The DNS server has both FQDN’s.
0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to pacavell

‎11-09-2018 09:06 PM

Is this issue resolved ? You comment seems to suggest otherwise. If not, please check if you have a proxy or anything configured on the browsers and if possible, collect a packet capture on the ISE filtering the client's IP to see what is happening.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Surendra

‎11-10-2018 04:00 AM

Agree also contact tac
0 Helpful

Go to solution
pacavell
Cisco Employee
Cisco Employee
In response to Surendra

‎11-10-2018 09:28 AM

Problem solved. Needed to add exception for lab domain in client browser. Thanks for the guidance.
0 Helpful
Customers Also Viewed These Support Documents