Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
5
Helpful
6
Replies

ISE Wildcard Cert issue

Go to solution
N3om
Level 1
Level 1

‎05-17-2024 05:27 AM

Hi

I have just re-added a wildcard cert to ISE as it was about to expire, when I now try connecting to guest wireless network I don tget to the portal page and i get a warning saying this web page at https://guest.boarders.co.uk :8443     could not be loaded due to net:: err_ssl_version_or_cipher_mistmatch

 

aNy ideas what I might have missed please.??

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to N3om

‎05-21-2024 03:36 PM

Glad you found a resolution for the cert issue via the TAC.  I will keep that one in mind.

As for the question of SAN fields, this is up to

1) How the CA populated them (usually CA's will ensure that the Subject CN is always present somewhere in the SAN - e.g. if you submit a CSR with a Subject CN = www.zebra.com and forget to include www.zebra.com in the SAN, then any good CA will add it into the SAN)

2) How the browser chooses to select amongst multiple SAN entries. Perhaps there is an RFC out there that recommends/suggests the ordering, but I would think that the ordering of the SAN entries is arbitrary - as long as ONE of those entries satisfies the matching requirements - that's all that's required.

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-19-2024 02:24 AM

what certificate was there before Wild card ? or SAN ?

Look at the guide lines :

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

what ISE version ? if the cert is good  and try remove old cert and reload ISE and test it.

check below :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Arne Bier
VIP
VIP

‎05-19-2024 02:09 PM

@N3om is this the error message you are seeing when you are redirected to the ISE Portal page on a guest device?   Doesn't sound like a certificate issue, since the certificate does not dictate what version of TLS is used.

Examine the new certificate anyway - does the browser manage to load it and can you verify that the new certificate is being presented to the browser?

Run a tcpdump on the ISE node to see what is going wrong with the TLS exchange. 

Have you tried restarting the PSN node (app stop ise, reload)?

Go to solution
N3om
Level 1
Level 1
In response to Arne Bier

‎05-21-2024 01:54 PM - edited ‎05-21-2024 01:57 PM

@Arne Bier I think we had hit a bug which Cisco published a while back as I went through the steps Cisco suggested and it seems to have worked.

1. create a self signed Cert for Guest portal

2. delete new wildcard cert and old if still there

3. reload PSN and PAN nodes.

 

Hers another question if I may, when i watch tutorials online for adding wildcard cert via CSR, in the first DNS field is e.g

ise.local.co.uk, then the second dns fielsd is *.local.co.uk, I havent done it like this as the last cert didnt have it I have got

*.boarders.co.uk

boaders.co.uk  

our guest portal is actually guest.boaders.co.uk

any idea which is the correct way please.?? and why.?????

Thanks

 

Go to solution
Arne Bier
VIP
VIP
In response to N3om

‎05-21-2024 03:36 PM

Glad you found a resolution for the cert issue via the TAC.  I will keep that one in mind.

As for the question of SAN fields, this is up to

1) How the CA populated them (usually CA's will ensure that the Subject CN is always present somewhere in the SAN - e.g. if you submit a CSR with a Subject CN = www.zebra.com and forget to include www.zebra.com in the SAN, then any good CA will add it into the SAN)

2) How the browser chooses to select amongst multiple SAN entries. Perhaps there is an RFC out there that recommends/suggests the ordering, but I would think that the ordering of the SAN entries is arbitrary - as long as ONE of those entries satisfies the matching requirements - that's all that's required.

Customers Also Viewed These Support Documents