Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
1
Replies

Endpoint certificate validation on ISE for Anyconnect Clients prior to Posturing

Darren.Martinaglia
Level 1
Level 1

‎08-11-2019 03:38 PM

Hi Cisco Community, 

 

I have set up posturing on our ISE servers for Anyconnect clients. This is working fine but an additional requirement is for ISE to scan the endpoint machine for a specific certificate located within the Trusted Root Certificate Authorities based on Issuer Common Name, Serial Number and expiry date of the certificate. When adding this to the Authorization Policy (above the Compliant and Non-Compliant policies), I get the below error message and Anyconnect immediately ends the VPN session:

 

"The secure gateway has terminated the VPN Connection. The following message was received from the secure gateway: Internal Error"

 

I am running version 2.4.0357 patch level 7 on the ISE servers and our FirePower 2130's are running an ASA code of 9.9(1). I have the same trusted Root CA installed on the VPN head end Firewall. We would like a scan to be performed on the endpoint machine to first validate that the certificate does indeed exist and if so, proceed to posture the machine. 

 

Any assistance will be greatly appreciated.

Thank you.

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎08-17-2019 10:08 AM

The certificate conditions in ISE authorization policy rules are for certificate-based authentication. As you are using AnyConnect for remote access VPN, it will not be certificate-based authentication to ISE. That is likely the reason for the internal error.

Please open a Cisco TAC case, if you need dig on this further.

0 Helpful
Customers Also Viewed These Support Documents