350-401 · Question #1084
An engineer modifies the existing ISE guest portal URL to use a static FQDN. Users immediately report that they receive certificate errors when they are redirected to the new page. Which two additiona
The correct answer is A. Add a new DNS record to resolve the FQDN to the PSN IP address B. Create and sign a new CSR that contains the static FQDN entry. To resolve certificate errors after changing an ISE guest portal URL to a static FQDN, a new DNS record must map the FQDN to the PSN IP, and a new SSL certificate containing the static FQDN must be generated and installed.
Question
An engineer modifies the existing ISE guest portal URL to use a static FQDN. Users immediately report that they receive certificate errors when they are redirected to the new page. Which two additional configuration steps are needed to implement the change? (Choose two.)
Options
- AAdd a new DNS record to resolve the FQDN to the PSN IP address
- BCreate and sign a new CSR that contains the static FQDN entry
- CManually configure the hosts file on each user device.
- DDisable HTTPS on the WLC under the Management menu
- EAdd the FQDN entry under the WLC virtual interface
How the community answered
(47 responses)- A66% (31)
- C19% (9)
- D4% (2)
- E11% (5)
Why each option
To resolve certificate errors after changing an ISE guest portal URL to a static FQDN, a new DNS record must map the FQDN to the PSN IP, and a new SSL certificate containing the static FQDN must be generated and installed.
For users to successfully reach the guest portal using the new static FQDN, a DNS record (typically an A record) must be created and propagated that accurately resolves the FQDN to the IP address of the Policy Service Node (PSN) hosting the guest portal service.
When the FQDN associated with a web service like an ISE guest portal changes, the existing SSL certificate becomes invalid because its Subject Alternative Name (SAN) or Common Name (CN) no longer matches the new FQDN; therefore, a new Certificate Signing Request (CSR) must be generated that includes the new static FQDN, signed by a trusted Certificate Authority (CA), and then installed on the ISE PSN.
Manually configuring the hosts file on each user device is not a scalable, practical, or manageable solution for a production guest network.
Disabling HTTPS would remove encryption, compromising the security and integrity of the guest portal, which is an unacceptable security practice.
Adding the FQDN entry under the WLC virtual interface is irrelevant to the ISE guest portal's FQDN and certificate, as the WLC virtual interface primarily handles the WLC's own management or client redirection.
Concept tested: Cisco ISE guest portal FQDN and SSL certificate management
Source: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216262-configure-and-troubleshoot-ise-posture-a.html
Topics
Community Discussion
No community discussion yet for this question.