topic Re: Secure client Certificate error with cisco ise posture in Network Access Control

Secure client Certificate error with cisco ise posture

jperez netics — Mon, 02 Oct 2023 21:27:23 GMT

i currently have an enviroment where i have a DC, with CA role, and a cisco ISE with EAP authentication and portals working just fine, but when i do posture with cisco secure client ISE posture, i get an issue with the certificate that says "Certificate is not identified for this purpose"

I was searching over the internet for this problem and could not find the solution

I am using the same certificate for EAP authentication, portal, and admin, the cert is from a private CA and the certificate chain is distributed over the endpoints that i'm trying to posture

The ISE certificate EKU are "server authentication" and "client authentication" because it is multi purpose

I don't know if i am missing a certificate attribute or an ISE configuration because it only happens on posture, the certificate is only untrusted on posture

only for clarification, if i disable the option "block connections to untrusted servers" in Cisco Secure Client, i can posture with the warning showing every time

Re: Secure client Certificate error with cisco ise posture

Milos_Jovanovic — Tue, 03 Oct 2023 06:21:17 GMT

Hi @jperez netics,

You need to take a look into DART file, to understand from where does this message comes. If I would need to guess, I would say it is from Client Provisioning Portal - portal responsible to push necessary software and profiles to your PC when posturing. Go there and check which certificate you are using. Error message is about certificate being untrusted, meaning it is not related to attributes (KU, EKU, and similar) but rather for domains it signs.

Kind regards,

Milos

Re: Secure client Certificate error with cisco ise posture

jperez netics — Tue, 03 Oct 2023 13:30:03 GMT

Hi, i'm using the same certificate that i use for EAP auth, in fact, the client provisioning portal certificate is trusted in my browser, the warning only happens with the client, that's why i'm thinking that it can be a misconfiguration

the only thing that i found so far on dart logs regarding certs is this:

Function: LocalPolicy::GetTrustedISECertFingerprints
Thread Id: 0x8A0
File: LocalPolicy.cpp
Line: 83
Level: warn

XML exception: {1, missing key 'TrustedISECertFingerprints'}.

Function: HttpConnection::initializeTrustedISECertFingerprintsVec
Thread Id: 0x8A0
File: HttpConnection.cpp
Line: 861
Level: info

TrustedISECertFingerprints tag not found.

but i still don't know where i'm i wrong

Re: Secure client Certificate error with cisco ise posture

Milos_Jovanovic — Tue, 03 Oct 2023 13:37:01 GMT

Can you check configuration of "AnyConnectLocalPolicy.xml" under "C:\ProgramData\Cisco\Cisco Secure Client\"? There is a section related to CertificateTrust, and also for allowed servers.

Also, please check this post.

Kind regards,

Milos

Re: Secure client Certificate error with cisco ise posture

jperez netics — Tue, 03 Oct 2023 15:44:49 GMT

Information Update: this only happens with Anyconnect / Secure Client Downloader with ISE posture when the Scan begins, the same certificate is trusted in any other scenario

Re: Secure client Certificate error with cisco ise posture

jperez netics — Tue, 03 Oct 2023 17:19:28 GMT

after a series of tests, i figured out the additional certificate requirements for Posture

For certificate trust:

Proper CN and SAN
Proper certificate chain on the endpoint

For use with ISE in general

include the following EKU's:

Server authentication
Client authentication

And finally, for trusting in Anyconnect downloader

include the following KU's:

Non-repudiation
Key encipherment
Digital Signature

i figured it out after comparing the Self signed certificates from the ISE itself vs the Certificate signed by my internal CA (microsoft)

Re: Secure client Certificate error with cisco ise posture

RC0008 — Wed, 25 Oct 2023 02:12:21 GMT