topic Re: What should be checked in the Usage checkbox when CSR binds? in Network Access Control

What should be checked in the Usage checkbox when CSR binds?

JustTakeTheFirstStep — Thu, 22 Apr 2021 04:43:21 GMT

I am installing a certificate on ISE.

I added the Root_Bundle certificate to Trusted Certificates and it's time to do CSR bind.

I will try the pem file to CSR bind.

Please advise what items should be checked in the checkbox

My purpose is to prevent the Untrutsted Server message from popping up when using Anyconnect Posture.

For reference, ASA has a certificate installed.

Re: What should be checked in the Usage checkbox when CSR binds?

Anurag Sharma — Mon, 08 Jun 2020 10:50:49 GMT

Hi @JustTakeTheFirstStep ,

You need to check the Portal option checked.

Make sure the FQDN you used is in the CN field of this cert.

Re: What should be checked in the Usage checkbox when CSR binds?

saxenanitesh8522 — Mon, 08 Jun 2020 13:00:32 GMT

It would eap and portal.

it is suggested to CA for admin as well where your GUI is also present

Re: What should be checked in the Usage checkbox when CSR binds?

Anurag Sharma — Mon, 08 Jun 2020 14:54:53 GMT

Be careful if you choose EAP as well. Since this is for VPN authentications, EAP is not required.

If you choose EAP, then ensure that your corporate devices (doing 802.1x) are able to validate the server.

Re: What should be checked in the Usage checkbox when CSR binds?

saxenanitesh8522 — Mon, 08 Jun 2020 15:57:52 GMT

Hi,

Sorry if you are doing SSL VPN this certificate error is from ASA and its web page its trust point.

As stated above by Anurag i hope you are already using EAP for user as well with the corporate certificate

Re: What should be checked in the Usage checkbox when CSR binds?

JustTakeTheFirstStep — Mon, 08 Jun 2020 23:46:20 GMT

Thank you for reply
We are not using EAP certificates.
Do I need to prepare certificates for Portal and EAP respectively for SSL VPN??
If I understand it, do I need 2 certificates??
According to Anurag Sharma, is it true to only check the Portal checkbox?
I am confused who is right.

Re: What should be checked in the Usage checkbox when CSR binds?

saxenanitesh8522 — Tue, 09 Jun 2020 04:24:49 GMT

Hi,

Sorry for the confusion lets just sort it out Anurag and me we are trying to just help.

Question 1:- 172.30.1.55 --> is this an ISE IP address?

Question 2:- did you create a wildcard certificate for this or is it a Local CA certificate?

Question 3:- As you said you are using Anyconnect Posture ? are you dong Dot1x authentication?

Posture technically only requires a portal page certificate but dependency is on the other things as well.

Are you doing Posture you have to do Dot1x authentication as well through the ISE.

please let us know your complete requirement?

Re: What should be checked in the Usage checkbox when CSR binds?

Anurag Sharma — Tue, 09 Jun 2020 05:00:53 GMT

@saxenanitesh8522 ,

Regarding this statement - "Are you doing Posture you have to do Dot1x authentication as well through the ISE.". This is not true if Posture is being done for VPN clients. VPN clients do normal RADIUS auth and then posture. No EAP is required.

Re: What should be checked in the Usage checkbox when CSR binds?

Anurag Sharma — Tue, 09 Jun 2020 05:03:44 GMT

@JustTakeTheFirstStep ,

Please mark Portal and test it out. If testing goes well, you don't need to do anything.

You can move the service (Portal, EAP, etc.) from one certificate to another even after certificate has been imported, if required.

Re: What should be checked in the Usage checkbox when CSR binds?

saxenanitesh8522 — Tue, 09 Jun 2020 05:07:49 GMT

@Anurag Sharma

I agree but he has not mentioned if he is doing VPN Posture or Dot1x then Posture?

Thats the reason asked what the complete scenario he is trying to do?

Re: What should be checked in the Usage checkbox when CSR binds?

Anurag Sharma — Tue, 09 Jun 2020 05:45:39 GMT

Yep, I believe it's a continuation from the post they made before this. See:

https://community.cisco.com/t5/network-access-control/please-help-install-a-3rd-party-ca-certificate-in-ise/m-p/4099232#M561003

Re: What should be checked in the Usage checkbox when CSR binds?

saxenanitesh8522 — Tue, 09 Jun 2020 10:07:45 GMT

@Anurag Sharma then yes thats there.

@JustTakeTheFirstStep if you are doing the posture for Any connect users VPN then Portal has to be with the correct certificate. Just make sure you using a Portal tag in the same web-page for the Posture Page so you wont get that error.

Re: What should be checked in the Usage checkbox when CSR binds?

JustTakeTheFirstStep — Mon, 26 Apr 2021 07:46:43 GMT

@saxenanitesh8522 , @Anurag Sharma

Thank you very much for the two people who were interested in my question.

I seem to have solved one of the certificate messages using the Portal option.

Before the left is after the right.

When Posture is running, connecting to a domain other than IP seems to solve all my problems.

What additional settings do I need to resolve to "certificate does not match the server name"??

Please refer to the attached file.

Re: What should be checked in the Usage checkbox when CSR binds?

Anurag Sharma — Tue, 09 Jun 2020 14:50:20 GMT

Hi @JustTakeTheFirstStep

Is this the first time you are connecting?

Is the posture XML file already present on the machine?

In the Authorization profile for 'Posture_Unknown' state, make sure you have not chosen the Static IP/Host Name/FQDN option is unchecked.

Re: What should be checked in the Usage checkbox when CSR binds?

saxenanitesh8522 — Wed, 10 Jun 2020 05:21:01 GMT

I assume you are using Portal webpage on the configured port.

the default ADMIN certificate did you put a SAN name with an IP address.

Because when the portal redirection happens it goes to the ISE then it goes for redirect to the posture.

I could be that reason firstly.

Secondly the certificate for the Portal what did you use as CN and SAN you can view that from ISE for the Portal

The issue is the way the certificates were installed mostly thats why you are getting this issue.

Re: What should be checked in the Usage checkbox when CSR binds?

JustTakeTheFirstStep — Mon, 15 Jun 2020 03:52:31 GMT

Thanks to the two of you, I successfully completed the installation of the certificate.

Thank you very much.