This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I wish to ask about my Cisco ISE deployment. I am currently using Cisco AnyConnect version 4.9.05042 and Cisco ISE version 2.7.
So I am currently configuring a Client Provisioning Portal for my users to connect to the network. I have already set the System Certificates on the ISE to use the valid certificate that was signed by enterprise CA to use as portal and I can access the portal via chrome browser without any certificate issue. Refer to screenshot Browser Access.
However, when I tried to log in using the corporate SSID, the anyconnect keeps giving an error "Untrusted Server Certificate". Refer to screenshot AnyConnect Error. I wish to troubleshoot so my users does not see this anyconnect untrusted error.
My wild guess is the anyconnect certificate store is somehow different from the endpoint certificate store, but maybe any ideas of why this might have happened?
Can you share the details of the ISE portal cert? Specifically the EKU details? It seems that you could be missing or incorrectly configured EKUs in the certificate template possibly. Does the cert have the following EKUs:
Server Authentication (126.96.36.199.188.8.131.52.1)
Client Authentication (184.108.40.206.220.127.116.11.2)
Typically you should have separate certs for different functions/reasons. Not sure why your ISE cert has crl signing & certificate signing KUs as they are not need in this scenario. Also, you should absolutely increase your rsa key length from 1024 to at least 2048, but 4096 if feasible.
For this unique scenario you should only need the following KUs:
Digital Signature and Key Encipherment
I don't want to send you down the rabbit hole of generating a new cert etc., but I think that may be why your issue is occurring. However, if you are running an internal PKI then maybe testing my theory quick would not take that long. You would need your PKI admin to either tweak or create a new cert template to modify the items discussed. Lastly, to be honest I have not seen this before so it may be best to get with TAC & go from there just to be sure. Good luck & HTH!