Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1520
Views
0
Helpful
2
Replies

Cisco ISE posture check for contractors | certificate requirements

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎12-22-2019 11:34 AM

Hi,

 

We have a customer having ISE distributed deployment (2x admin , 2x monitoring, 13xPSN and 1xpXGrid). The ISE admin portal is signed with internal CA certificate and the ISE host names are configured as lets say psn01.abc.org.qa.
For the employees we are using a client provisioning portal which is using the same certificate as the admin portal (the internal CA signed certificate) so that they do not get certificate warnings ( since their machines trust the ROOT certificate of the internal CA).
For the contractors when we used the same client provisioning portal as the employees the ISE posture agent returned certificate error since the contractor machines are 3rd party machines and they do not trust the ROOT certificate of the internal CA. The customer is not ready to install the ROOT certificate of the internal CA in 3rd party machines. So we thought about creating a separate client provisioning portal and use a public certificate with the portal. The client provisioning portal is using a url https://xxx.portal.qa and we used a  certificate with common name as psn.portal.qa and a wild card in the SAN field as *.portal.qa

 

Now the issue is that when the contractor connects to the network, the browser redirects the http requests to psn01.portal.qa without any certificate warnings. But the anyconnect posture agent shows untrusted server warning and gives the error cannot verify server name.
I could see that the agent is trying to connect to psn01.abc.org.qa(actual ISE FQDN) instead of psn01.portal.qa (the redirect URL).

 

Is this an expected behavior?.

Is it a good practice to use separate certificate for admin portal and client provisioning portal?.

Why does the browser shows  proper redirect URL but the agent connects to the actual ISE FQDN?.

 

 

Please help me to resolve the issue ASAP since the customer needs a feedback in a couple of days.

1 person had this problem
0 Helpful
2 Replies 2

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎12-22-2019 10:22 PM

Please help guys

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee

‎12-24-2019 12:13 PM

Yes the agent will try to contact the actual PSN in its communication path. This should be part of your design.
CN should be something like aaa.abc.org.qa and then the SAN should be*.abc.org.qa Redirect URL is not part of the deployment or configured on it. This can be something arbitrary like enroll.cisco.com (something past the redirection point)


Please check out our ISE posture guide - How to Cert guide

 

If anything urgent please work through TAC as this is not a break fix site. ITs best effort community.

 

0 Helpful
Customers Also Viewed These Support Documents