cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

225
Views
0
Helpful
7
Replies
Highlighted

Cisco AnyConnect Client Provisioning Portal Certificate Error

Hello,

 

I wish to ask about my Cisco ISE deployment. I am currently using Cisco AnyConnect version 4.9.05042 and Cisco ISE version 2.7.

 

So I am currently configuring a Client Provisioning Portal for my users to connect to the network. I have already set the System Certificates on the ISE to use the valid certificate that was signed by enterprise CA to use as portal and I can access the portal via chrome browser without any certificate issue. Refer to screenshot Browser Access.

 

However, when I tried to log in using the corporate SSID, the anyconnect keeps giving an error "Untrusted Server Certificate". Refer to screenshot AnyConnect Error. I wish to troubleshoot so my users does not see this anyconnect untrusted error.

 

My wild guess is the anyconnect certificate store is somehow different from the endpoint certificate store, but maybe any ideas of why this might have happened?

 

 

7 REPLIES 7
Highlighted

yes it is already resolved to the interface IP and the portal port has been configured to 8443 if that is what you meant

Highlighted
VIP Engager

Can you share the details of the ISE portal cert? Specifically the EKU details? It seems that you could be missing or incorrectly configured EKUs in the certificate template possibly.  Does the cert have the following EKUs:

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

HTH!

Highlighted

Hi Mike,

 

This is the EKU. It shows exactly like it.

 

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

 

Regards,

Darmintra

Highlighted
VIP Engager

Interesting.  Please share your Key Usage too.

Highlighted

Attached is the Key Usage, Mike

Highlighted
VIP Engager

Typically you should have separate certs for different functions/reasons.  Not sure why your ISE cert has crl signing & certificate signing KUs as they are not need in this scenario.  Also, you should absolutely increase your rsa key length from 1024 to at least 2048, but 4096 if feasible. 

For this unique scenario you should only need the following KUs:

Digital Signature and Key Encipherment

 

I don't want to send you down the rabbit hole of generating a new cert etc., but I think that may be why your issue is occurring. However, if you are running an internal PKI then maybe testing my theory quick would not take that long.  You would need your PKI admin to either tweak or create a new cert template to modify the items discussed.  Lastly, to be honest I have not seen this before so it may be best to get with TAC & go from there just to be sure.  Good luck & HTH!

Highlighted

Alright Mike, thank you. I think I will try to go with TAC for this case.

 

Regards,

Darmintra

Content for Community-Ad