Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5772
Views
5
Helpful
7
Replies

Anyconnect ISE Posture

Go to solution
aravikumar
Level 1
Level 1

‎05-15-2019 07:50 AM - edited ‎02-21-2020 11:05 AM

When the endpoint configured for EAP-TLS machine authentication using machine certificate connects to network. Posture becomes compliant but the posture is happening repetitively. It always shows the following dialog box. Tried reinstalling the AC on the endpoint. The same is successful for wireless but failing for wired. Please help.

 

 

1 person had this problem
Error.jpg
Preview file
112 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to aravikumar

‎05-15-2019 09:13 AM

* is ok. I think then that your issue is your cert being used for ISE that is being presented. Is your server name identified at the bottom of the chain and in the common name? I think the ISE hostname needs to be reflected there. If using a wildcard cert you should be able to configure the psn hostnames as SAN.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-15-2019 07:55 AM

Please ensure that your host/s you are seeing the issue on have the cert chain being presented in the trusted stores. Then attempt to replicate the issue again.

Go to solution
aravikumar
Level 1
Level 1
In response to Mike.Cifelli

‎05-15-2019 07:57 AM

Hi Mike 

 

Thanks for the reply, The Certificate chain is there on the host and the trusted store in ISE. But the issue still persists.

 

Thanks,

 

Aravind.

0 Helpful

Go to solution
aravikumar
Level 1
Level 1
In response to Mike.Cifelli

‎05-15-2019 08:27 AM

After multiple attempts it says posture failed due to server issues

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to aravikumar

‎05-15-2019 08:37 AM

Please double check your profile configuration in ISE. Under the posture protocol 'server name rules' does that match the cert name being presented? What do you have configured there?

Policy->Policy elements->Results->Client Provisioning->Resources-><your profile>
0 Helpful

Go to solution
aravikumar
Level 1
Level 1
In response to Mike.Cifelli

‎05-15-2019 08:56 AM

I have it configured as "*". I have attached the screenshot, should I have the ISE PSNs listed there?

anyconnect_profile.png
Preview file
9 KB
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to aravikumar

‎05-15-2019 09:13 AM

* is ok. I think then that your issue is your cert being used for ISE that is being presented. Is your server name identified at the bottom of the chain and in the common name? I think the ISE hostname needs to be reflected there. If using a wildcard cert you should be able to configure the psn hostnames as SAN.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to aravikumar

‎05-17-2019 07:35 PM

Mike.Cifelli is correct on this. Note that an ISE node may use different server certificates for admin and for portals. If you are not using FQDN with the port number configure for the client provisioning portal in the Call Home List (available in ISE 2.2+), the posture might use the cert for "admin".

If you need further help to troubleshoot this, please engage Cisco TAC.

0 Helpful
Top