cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2462
Views
15
Helpful
6
Replies

ISE Anyconnect Posture module untrusted certificate

ryan14
Beginner
Beginner

I have an issue where I am trying to connect a Win10 machine using AnyConnect with Posture module and I am getting a certificate error stating it doesn't trust the cert assigned to my ISE admin node. The client provisioning portal loads (https://fqdn:8443) from the Win10 machine using my browser with no certificate errors. How do I go about solving this problem? It appears the posturing module is also using the certificate on my ISE node tied to admin (not just portal). The cert tied to admin is from my internal PKI. Does this mean I have to change that certificate as well for admin?

 

6 Replies 6

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

You're on the right path, both the Admin and Portal cert are presented to the client during the posture process. You'll need a public cert on both of those that the unmanaged endpoints trust. 

Thank you. So does that mean I need to change my ISE system domain names (PAN and PSN) to match the domain used in the wildcard certificate (which is currently used for portal)?

You have a choice. If you're only doing posture on managed machines, then you can push the certificate chain and make the endpoints trust the existing ISE admin cert. 

If you're posturing machines that you do not manage, then a well known CA signed certificate is required on both the admin and portal. You can either get this cert issued for the current FQDNs, or you could move you ISE nodes to the same domain as your wildcard. 

You can have two difference public signed certs assigned, one for admin, another for the portal, but this of course comes with a cost. All that matters is that the endpoints trust them. 

Thank you everyone for your feedback. Do you know if it is possible to add a .local DNS name in the SAN field for the wildcard cert?

 

If not will have to ask systems team to spin up a new domain as the wildcard cert only exists 'publicly'.

 

The issue is that the machines are not part of the domain so getting the root/intermediary cert in their trusted store is a manual process. We do that already but for domain connected PCs via GPO.

Romzy
Cisco Employee
Cisco Employee

Have the root CA (and intermediate CAs if any) of your ISE admin cert imported in your client's trusted store. Both admin and portal certs are presented during Posture flow.

Peter Koltl
Rising star
Rising star

We have enterprise admin certificate and commercial portal certificate on 2.4 and posture on the external clients work without warnings.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers