Hi @Rob Ingram 

Did use the GPO to allow the application and now it works all fine. Also the posture process went well. The only left issue am facing is the "Security Warning: Untrusted Server Certificate!" AnyConnect cannot verify server: ise1"

Certificate does not match the server name. 

Certificate is not identified for this purpose. 

Please see image attached.

I did research in regards this and the I also tested them but did not fix the issue are: 

1. ISE Certificate was generated as a Subordinate certificate and was signed from the Internal root CA. Root CA is imported in All network hosts. It is also selected and this is how we achieve the EAP-TLS authentication successfully. 

2. I've unchecked the "Block connections to untrusted servers", still not working. 

3. User am testing with does have local admin rights on the computer.

4. The client provisioning has the same certificate as the ones ISE does in the web browser. 

5. The ISE certificate SAN has the same FQDN of ISE. 

6. SAN of certificate has FQDN of ISE1 and FQDN of ISE2. But does not have IP addresses on it. 

7. CN of the certificate has also the same FQDN as ISE1, that FQDN that the host is reporting as unsecure.

8. AnyConnect configuration has home call list: FQDN of ISE1

9. Tried to import ISE1 Subordinate certificate in Certificate Trusted Authority in the Host, but I still faced the same error! Here, am not sure if I should import this as part of the process. 

AnyConnect-win-webdeploy version: 4.10.xx

Any idea how I can further troubleshoot on eliminating this popup of untrusted server! 

Note: during the process, this process shows up twice, and the user needs to click connect twice.

Looking forward to hearing from you for any suggestions on how to approach this problem.

Thank you,

Laura 

@laurathaqi depending at which stage in the process this warning error pops up, the connection is protected by either the Portal or Admin ISE certificate. Do you have unique Admin and Portal certificates or do they use the same certificate?

Useful link

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Hi @Rob Ingram 

The popup shows at the moment when the module starts to scan, and the second one comes after it goes to 10% scanning. 

I am using the same certificate for both Admin and Portal certificates. 

Thank you for the link. Will study it tonight and if i find a solution, will make sure to update you. 

Please, feel free to share any new ideas of troubleshooting or materials that u might think are helpful.

Thank you,

Laura

@laurathaqi install wireshark on the client computer, take a packet capture during the posture process and determine what actual certificate is presented to the client when it fails.

Hi @Rob Ingram 

I took the Wireshark packet capture, and the certificate being presented is the correct one of ISE. 

I also tried to regenerate the certificate for portal only, by creating one that has as SAN the fqdn and ip address of the ISE. The portals of CPP and Admin do not show the untrusted certificate issue. When posture scanning starts at 1% am forced to click connect anyway and then that is it. The posture completes with success. 

Any idea how to further troubleshoot? Am out of ideas right now. 

TAC is on progress. 

Thank you,

Laura