cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3601
Views
5
Helpful
8
Replies

Cisco AnyConnect Client Provisioning Portal Certificate Error

Hello,

 

I wish to ask about my Cisco ISE deployment. I am currently using Cisco AnyConnect version 4.9.05042 and Cisco ISE version 2.7.

 

So I am currently configuring a Client Provisioning Portal for my users to connect to the network. I have already set the System Certificates on the ISE to use the valid certificate that was signed by enterprise CA to use as portal and I can access the portal via chrome browser without any certificate issue. Refer to screenshot Browser Access.

 

However, when I tried to log in using the corporate SSID, the anyconnect keeps giving an error "Untrusted Server Certificate". Refer to screenshot AnyConnect Error. I wish to troubleshoot so my users does not see this anyconnect untrusted error.

 

My wild guess is the anyconnect certificate store is somehow different from the endpoint certificate store, but maybe any ideas of why this might have happened?

 

 

2 Accepted Solutions

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

Typically you should have separate certs for different functions/reasons.  Not sure why your ISE cert has crl signing & certificate signing KUs as they are not need in this scenario.  Also, you should absolutely increase your rsa key length from 1024 to at least 2048, but 4096 if feasible. 

For this unique scenario you should only need the following KUs:

Digital Signature and Key Encipherment

 

I don't want to send you down the rabbit hole of generating a new cert etc., but I think that may be why your issue is occurring. However, if you are running an internal PKI then maybe testing my theory quick would not take that long.  You would need your PKI admin to either tweak or create a new cert template to modify the items discussed.  Lastly, to be honest I have not seen this before so it may be best to get with TAC & go from there just to be sure.  Good luck & HTH!

View solution in original post

Alright Mike, thank you. I think I will try to go with TAC for this case.

 

Regards,

Darmintra

View solution in original post

8 Replies 8

yes it is already resolved to the interface IP and the portal port has been configured to 8443 if that is what you meant

Mike.Cifelli
VIP Alumni
VIP Alumni

Can you share the details of the ISE portal cert? Specifically the EKU details? It seems that you could be missing or incorrectly configured EKUs in the certificate template possibly.  Does the cert have the following EKUs:

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

HTH!

Hi Mike,

 

This is the EKU. It shows exactly like it.

 

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

 

Regards,

Darmintra

Mike.Cifelli
VIP Alumni
VIP Alumni

Interesting.  Please share your Key Usage too.

Attached is the Key Usage, Mike

Mike.Cifelli
VIP Alumni
VIP Alumni

Typically you should have separate certs for different functions/reasons.  Not sure why your ISE cert has crl signing & certificate signing KUs as they are not need in this scenario.  Also, you should absolutely increase your rsa key length from 1024 to at least 2048, but 4096 if feasible. 

For this unique scenario you should only need the following KUs:

Digital Signature and Key Encipherment

 

I don't want to send you down the rabbit hole of generating a new cert etc., but I think that may be why your issue is occurring. However, if you are running an internal PKI then maybe testing my theory quick would not take that long.  You would need your PKI admin to either tweak or create a new cert template to modify the items discussed.  Lastly, to be honest I have not seen this before so it may be best to get with TAC & go from there just to be sure.  Good luck & HTH!

Hi! Update after a while, after working with TAC and examining the DART logs in AnyConnect, TAC also recommended me to change the KU as Mike have suggested. We did just that and the cert error no longer occured.

 

Thank you Mike and hope this helps anyone who had the same issue on ISE.

 

Regards,

Darmintra

Alright Mike, thank you. I think I will try to go with TAC for this case.

 

Regards,

Darmintra