Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3047
Views
5
Helpful
8
Replies

Cisco AnyConnect Client Provisioning Portal Certificate Error

Go to solution
DarmintraTandrawijaya49983
Level 1
Level 1

‎02-23-2021 02:36 AM

Hello,

 

I wish to ask about my Cisco ISE deployment. I am currently using Cisco AnyConnect version 4.9.05042 and Cisco ISE version 2.7.

 

So I am currently configuring a Client Provisioning Portal for my users to connect to the network. I have already set the System Certificates on the ISE to use the valid certificate that was signed by enterprise CA to use as portal and I can access the portal via chrome browser without any certificate issue. Refer to screenshot Browser Access.

 

However, when I tried to log in using the corporate SSID, the anyconnect keeps giving an error "Untrusted Server Certificate". Refer to screenshot AnyConnect Error. I wish to troubleshoot so my users does not see this anyconnect untrusted error.

 

My wild guess is the anyconnect certificate store is somehow different from the endpoint certificate store, but maybe any ideas of why this might have happened?

 

 

Preview file
43 KB
Preview file
25 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-24-2021 06:07 AM

Typically you should have separate certs for different functions/reasons.  Not sure why your ISE cert has crl signing & certificate signing KUs as they are not need in this scenario.  Also, you should absolutely increase your rsa key length from 1024 to at least 2048, but 4096 if feasible. 

For this unique scenario you should only need the following KUs:

Digital Signature and Key Encipherment

 

I don't want to send you down the rabbit hole of generating a new cert etc., but I think that may be why your issue is occurring. However, if you are running an internal PKI then maybe testing my theory quick would not take that long.  You would need your PKI admin to either tweak or create a new cert template to modify the items discussed.  Lastly, to be honest I have not seen this before so it may be best to get with TAC & go from there just to be sure.  Good luck & HTH!

View solution in original post

Go to solution
DarmintraTandrawijaya49983
Level 1
Level 1

‎02-28-2021 07:48 PM

Alright Mike, thank you. I think I will try to go with TAC for this case.

 

Regards,

Darmintra

View solution in original post

0 Helpful
8 Replies 8

Go to solution
DarmintraTandrawijaya49983
Level 1
Level 1

‎02-23-2021 03:20 AM

yes it is already resolved to the interface IP and the portal port has been configured to 8443 if that is what you meant

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-23-2021 05:37 AM

Can you share the details of the ISE portal cert? Specifically the EKU details? It seems that you could be missing or incorrectly configured EKUs in the certificate template possibly.  Does the cert have the following EKUs:

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

HTH!

0 Helpful

Go to solution
DarmintraTandrawijaya49983
Level 1
Level 1
In response to Mike.Cifelli

‎02-23-2021 06:11 AM

Hi Mike,

 

This is the EKU. It shows exactly like it.

 

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

 

Regards,

Darmintra

Preview file
36 KB
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-23-2021 10:15 AM

Interesting.  Please share your Key Usage too.

0 Helpful

Go to solution
DarmintraTandrawijaya49983
Level 1
Level 1
In response to Mike.Cifelli

‎02-24-2021 02:36 AM

Attached is the Key Usage, Mike

Preview file
35 KB
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-24-2021 06:07 AM

Typically you should have separate certs for different functions/reasons.  Not sure why your ISE cert has crl signing & certificate signing KUs as they are not need in this scenario.  Also, you should absolutely increase your rsa key length from 1024 to at least 2048, but 4096 if feasible. 

For this unique scenario you should only need the following KUs:

Digital Signature and Key Encipherment

 

I don't want to send you down the rabbit hole of generating a new cert etc., but I think that may be why your issue is occurring. However, if you are running an internal PKI then maybe testing my theory quick would not take that long.  You would need your PKI admin to either tweak or create a new cert template to modify the items discussed.  Lastly, to be honest I have not seen this before so it may be best to get with TAC & go from there just to be sure.  Good luck & HTH!

Go to solution
DarmintraTandrawijaya49983
Level 1
Level 1
In response to Mike.Cifelli

‎03-10-2021 08:26 PM

Hi! Update after a while, after working with TAC and examining the DART logs in AnyConnect, TAC also recommended me to change the KU as Mike have suggested. We did just that and the cert error no longer occured.

 

Thank you Mike and hope this helps anyone who had the same issue on ISE.

 

Regards,

Darmintra

0 Helpful

Go to solution
DarmintraTandrawijaya49983
Level 1
Level 1

‎02-28-2021 07:48 PM

Alright Mike, thank you. I think I will try to go with TAC for this case.

 

Regards,

Darmintra

0 Helpful
Customers Also Viewed These Support Documents