ISE 1.1 - Error Custom Guest Portal

Similar Messages

• Activate custom guest portal in ISE

  This question must sound stupid, but I'm struggling with it four two days now without success:
  I've managed to upload custom HTML files for a custom guest portal via
  Administration -> Web Portal Management ->Settings -> Guest -> Multi-Portal Management
  and assigned files for the four required File Mappings (Login, AUP, Guest Success, Error)
  However, where do I configure that this custom portal is actually used?
  The only observable Difference to the DefaultGuestPortal I find is that under Authentication, it has the setting Identity Store Sequence = Guest_Portal_Sequence (greyed out) while my custom portal has this field empty (and also greyed out).
  I merely found in the docs that the redirection URL should be schanged to mathc the portal name. However, my guess is that this URL is a RADIUS option and should thus be configurable on the ISE - somewhere, but I found nothing.
  (While we're at it: Where can I configure the redirection to take place with hostname instead of ip? All examples in docs seem to use ip, but that is of course ridiculous in connection with https as it makes the use of certificates from well-known CAs impossible)

  Andreas:
  You better move your discussion to Security -> AAA forums. They will be able to help you better.
  Rating useful replies is more useful than saying "Thank you"

• ISE 1.2 customizing guest portal

  I am having some issues trying to customize colours on the default guest portal in ISE 1.2.
  Is there really no way to change the entire page background colour, except going through creating a complete set of html files ?
  It seems if i upload a transparent background image for both the banner and the logo, and then change the all the gackground coulour settings, the colour only affects the area where the cisco splash logo is, and not the entire page.
  I attached my settings, and how the page looks with those, what i am after is the entire page black, and then white text.

  Hello Jan
  You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
  These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
  Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
  Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
  Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
  Step 4 Click Save.

• Ise 1.2, cannot access guest portal

  I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443
  any idea?

  I had attached the steps to configure the guest portal and hope will address the problem.
  Configuring the Guest Portal
  Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.
  You can add a new Guest portal or edit an existing one.
  Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.
  Step 2Click Add.
  Step 3Update the fields on each of these tabs:
  •General—enter a portal name and description and choose a portal type.
  •Operations—enable the customizations for the specific portal
  •Customization—choose a language template for displaying the Guest portal with localized content
  •File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.
  •File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.
  •Authentication—indicate how users should be authenticated during guest login.
  Step 4Click Submit.
  Specifying Ports and Ethernet Interfaces for End-User Portals
  You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.
  You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.
  Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
  Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.
  Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.
  Step 4Click Save.
  If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
  Tips for Assigning Ports and Ethernet Interfaces
  •All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.
  •You must assign the Blacklist portal to use a different port than the other end-user portals.
  •Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.
  •You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:
  Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals
  You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.
  Before You Begin
  Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
  Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:
  •Default Sponsor Portal FQDN
  •Default My Devices Portal FQDN
  Step 3Enter a fully qualified domain name.
  Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
  Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node.

• Custom Guest Portal

  Hello. Can I change default web guest portal: change background picture, logo, and add some-things.
  Thansk.

  You can customize a portal theme, changing text, banners, background color, and images.
  This section shows you how to create a custom portal theme, by setting and applying customized options.
  You can follow the same steps to modify an existing customized portal theme.
  Note: Supported image formats include jpg, jpeg, gif, and png.
  To customize a portal theme, complete the following steps:
  Step 1: From the Cisco ISE Administrator interface choose:
  Administration > Guest Management > Settings.
  Step 2: In the Settings panel on the left, Select
  General > Portal Theme. (The Portal Theme page appears on the right.)
  Step 3: Customize the portal theme in the following ways:
  Change the Login Page Logo.
  This setting allows you to change the logo on the portal Login page. You can choose the default Cisco
  Logo or upload a custom image.
  To upload a custom login page logo, complete the following steps:
  Step 1: Select Upload New File from the drop-down menu.
  Step 2: Click Browse, navigate to and select the desired image file.
  Step 3: Click Open.
  Recommended guidelines for a login page logo image are as follows:
  • Height: 16-480 pixels
  • Width: 16-480 pixels
  Change the Login Page Background Image.
  This setting allows you to change the background image on the portal login page. You can choose the
  default Cisco background or upload a custom background image.
  To upload a custom background image, complete the following steps:
  Step 1: Select Upload New File from the drop-down menu.
  Step 2: Click Browse, navigate to and select the desired image file.
  Step 3: Click Open.
  Customize the Banner Logo
  This setting allows you to change the portal banner logo. You can choose the default Cisco banner or
  Upload a custom banner logo.
  To upload a custom banner logo, complete the following steps:
  Step 1: Select Upload New File from the drop-down menu.
  Step 2: Click Browse, navigate to and select the desired image file.
  Step 3: Click Open.
  Customize the Banner Background Image
  This setting allows you to change the portal banner background image. You can choose the default Cisco
  Background or upload a custom background image.
  To upload a custom banner background, complete the following steps:
  Step 1: Select Upload New File from the drop-down menu.
  Step 2: Click Browse, navigate to and select the desired image file.
  Step 3: Click Open.
  Change the Login Background Color
  This setting allows you to change the background color of the portal login page.
  To change the login page background color, complete the following steps:
  Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format, such as the following: FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
  Step 2: Click Show Color to display the specified color.
  Customize the Banner Background Color
  This setting allows you to change the banner background color of the portal. To set the login background color, complete the following steps:
  Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format, such as the following: FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
  Step 2: Click Show Color to display the representative color.
  Sponsor Settings
  Customize the Content Background Color
  This setting allows you to change the content background color for the portal pages.
  To change the content background color for the portal, complete the following steps:
  Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format such as FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
  Step 2: Click Show Color to display the representative color.

• ISE 1.2.1.198 - Guest Portal Configuration

  Is it possible to customize the default portal and add a paragraph any where on the login page with instructions?  I've tried adding the text in the Pre-Login Banner Text field, and it does wrap to the next line, but text goes of the screen before wrapping.  Would like to be able to add carriage return in the text, so text would scroll off the screen.

  ISE 1.3 (due out in November time frame) will have a huge amount of customization of the portal available for your use.
  If you really need to do it before then, and you have an ISE-certified Authorized Technology Partner you're working with, they have access to a Guest Portal Builder tool that can be used.
  Failing those, you're back to changing the native html code for the portal by hand. Not recommended.

• Cisco ISE 1.2.1.198 Guest Portal Vlan Override at Mobile Device (android,IOS) not working

  Hi Guy, 
  In my ISE deployment, once the guest succcesful authenticated will be assign guest VLAN for internet access.
  we are using guest portal to do the vlan override once user authenticated.
  Window 7 Internet explorer (Active X), Chrome (Java Aplet) is working fine.
  but Android,Apple IOS devices unable to release the DHCP and get new DHCP.
  because from ISE and WLC we can see the Vlan have change, how mobile devices initiate dhcp release for Guest Portal
  Kindly advice.
  Regards
  Freemen

  I don't have such documentation nor I could find any on Cisco's site. With that being said, it doesn't mean that it doesn't exist. I just know that Active X is windows specific framework and Java is not supported on either iOS nor Android:
  http://www.java.com/en/download/faq/java_mobile.xml
  The good news is that Cisco appears to be steering away from Java so it is possible that in the future this will be supported. 
  Hope this helps!
  Thank you for rating helpful posts!

• ISE Domain Name, Certificates and Guest Portal

  Hi everyone,
  We have an ISE deployment using our internal domain for its FQDN (For example: ise01.private.local). We now want to use it for authenticating guest access and have noticed the redirection URL by default uses the FQDN of the ISE server.
  This works fine for our corporate machines as we have our own internal CA and generated certificates. As we do not want certificate errors occurring for our guests, we need to use a public FQDN.
  Are we best off changing the domain-name used by the ISE servers or is there a way to edit the redirection URL to use a custom domain?
  I have heard suggestions that changing the domain-name is unsupported, but I can't find any other way.
  Thanks,
  Mark

  Mark,
  Do you already have a public FQDN pointing to your ISE?  If so, let's assume that you are authenticating guests using CWA.  First creat a new Authorization Profile, under Common Tasks, select Web Redirection (CWA, DRW, MDM, NSP, CPP), Choose the Authentication Method (in this case, CWA) and define the ACL to be used.  Just below that, select Static IP/Host Name and enter the public FQDN that points to your ISE.
  From here you can create an Authorization Policy to reference the profile you just created.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE Guest Portal - Error Resource not found

  Hello,
  When I create a guest user through the sponsor portal, then try to login with this guest user through the Guest Portal, after I press login button, the following error message occurs and do not know what to do to solve.
  Error: Resource not found.
  Resource: /guestportal/
  None of the messages on the forum about it helped me to solve the problem.
  I am using ISE 1.1.3.124 and this is a new re-image appliance.
  Can anyone help?                  

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the authorization profile should  exactly match the example below. (Note: Do not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from the  Cisco ISE authorization profile contains the following command lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.3 Sponsored Guest Portal Login Failure

  Hello Team,
  Ive created a guest account in the sponsor portal for a test guest user, however the state remains in "created" state.
  Now when the user tries to log on via the sponsored guest portal the error back is "invalid username or password".
  In ISE logs it says :
  Overview
  Event
  5418 Guest Authentication Failed
  Username
  bnawaz01 
  Endpoint Id
  Endpoint Profile
  Authorization Result
  Actions
  Troubleshoot Authentication
  View Diagnostic Messages
  Audit Network Device Configuration
  View Network Device Configuration
  View Server Configuration Changes
  -->Authentication Details
  Source Timestamp
  2014-12-24 08:49:05.551
  Received Timestamp
  2014-12-24 08:49:05.553
  Policy Server
  DC1-ISE-DMZ01
  Event
  5418 Guest Authentication Failed
  Failure Reason
  Account is not yet active.
  Resolution
  Root cause
  Username
  bnawaz01
  User Type
  GuestUser
  Endpoint Id
  Endpoint Profile
  IP Address
  Authentication Identity Store
  Guest Users
  Identity Group
  GuestType_Contractor (default)
  Audit Session Id
  Authentication Method
  PAP_ASCII
  Authentication Protocol
  PAP_ASCII
  Service Type
  Network Device
  Device Type
  Location
  NAS IP Address
  NAS Port Id
  NAS Port Type
  Authorization Profile
  Posture Status
  Security Group
  Response Time 
  Any ideas why this might be, if im doing something wrong and how to fix?
  Thank you
  Bilal

  I have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration
  To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group
  One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups

• Cisco ISE Guest Portal - DNS Issue - External Zone

  Hello,
  I have a customer that has the following sceanrio :
  In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
  since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
  My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
  Thank-you in advance for your replies.
  Robert C.

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Cisco ISE 1.2 Guest Portal customization with vWLC redirect

  Hello Support Community,
  we have a problem regarding customized web authentication on ISE 1.2 with Package ISE12CustomPortalPackage-v4.zip. We have a Virtual Wireless Controller where we do a redirect to ISE. When we use default guest portal on https://x.x.x.x:8443/guestportal/Login.action authentication and authorization works fine. When we do redirect to Cisco templates on https://x.x.x.x:8443/guestportal/portals/example/Login.html customized login page is displayed and after correct authentication guest successful page is displayed but we can't go to any webserver although ISE shows authentication and authorization as successful. When we try to reach a webserver after successful authentication we get redirected to customized login site. Virtual Wireless Controller shows client aus "Webauth Required" after successful authentication. Central Web Authentication isn't possible because we have a different AAA Server for 802.1X and only use wired guest access on a particular VLAN from WLC. Are there any known issues regarding customization template or is there something wrong regarding our redirect?
  I hope somebody can help us.
  Best Regards
  Benjamin

  Hello Neno,
  1. I attached screenshots below.
  2. There is nothing related to this client.
  3. I attached Debug below.
  We are currently using MAB on our switches as a fallback to our 802.1X on our wired access. Order and Priority currently is 802.1X/MAB/Auth-Fail-VLAN. CWA is based on a failed MAC-Authentication which leads to an Authorization Profile to permit access with Webauth.
  If you configure Wired guest access on WLC there isn't a possibility to configure MAC-Authentication.
  CWA on our switches isn't possible because we are currently using failed MAC-Authentication to direct clients to our Auth-Fail-VLAN which has restricted access secured by SVI-ACL which allows us HTTP Access to printers (manual Cert Deployment) and automated Cert enrollment to our computers.
  Best Regards
  Benjamin

• Pb to reach ISE Guest portal due to DNS constraints

  I have set up a Guest Portal with WLC 5508 7.4 and ISE 1.1.1 ;
  everything is OK, except one thing :
  the  Guest VLAN, associated to the Guest SSID is, actually, a DMZ behind my  customer firewall and the DHCP parameters provided to the wireless Guest  equipement connected on this VLAN include the public ISP DNS servers  addresses, not the customer internal DNS serveurs addresses;
  this  seems OK since the idea of this Guest SSID is to give a pure Internet  access to the Guests, and no connection at all towards the customer  internal servers;
  the  problem is that, when the wireless guest receives the redictect URL  from ISE (URL to access the ISE Guest Portal), this URL is based on the  ISE DNS name, not on its IP address; so, the PC can't resolve this  internal DNS name by using the ISP DNS servers addresses provided by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  Apart  from changing those DNS values in the DHCP server (the customer does  not accept this solution), how could we solve this problem ?
  I have tried to code manually , in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://192.168.1.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa,
  but, it does not work, since the sessionIdValue variable is not replaced by its real value when sent to the wireless client
  any comment welcomed

  We had the same issue. Our solution was to advertise the internal IP address from our external facing DNS server and let it propagate publicly.  Our ISE box is in a DMZ and the firewall rules do not allow outside traffic to it, however the clients will get the correct internal IP address and since they are already inside the firewall on the DMZ segment they are able to get to the ISE box with the publicly resolved internal IP address.  The other option we entertained was a firewall DNS redirect.  That would work by intercepting the DNS request for that specific URL and return the proper internal IP, all other DNS requests would pass through to the public DNS server.

• ISE Guest portal digital public certificate with dual deployment

  I have a deployment of ISe which has a primary and secondary node.  We are using ISE for Guest web access and it's Guest portal functionality.
  I have installed a public VeriSign certificate onto the primary node so that guest users don't certificate errors when they get redirected to the guest portal.
  We have a DNS server with an entty for the guest portal URL e.g. guest.company.com with the IP adresses of both ISE servers.
  When users are loggin onto the guest wireless it is pot luck whether or not they get the primary ISE node because of the DNS round robin of the ISE IP addresses.
  Is there anyway to make the secondary ISE node use the Verisign certificate as well or do I need to buy another certificate which is linked to the secondary ISE nodes FQDN?
  (the certificate I have currently has a CN of the FQDN of the primary ISE server with subject alternative names of the secondary ISE node and the guest web redirect URL).
  Any help would very much be appreciated.
  thanks
  Craig

  Hi Craig,
  Please check the below link with a similar prob,  might help.
  https://supportforums.cisco.com/thread/2161878