I have an issue where I am trying to connect a Win10 machine using AnyConnect with Posture module and I am getting a certificate error stating it doesn't trust the cert assigned to my ISE admin node. The client provisioning portal loads (https://fqdn:8443) from the Win10 machine using my browser with no certificate errors. How do I go about solving this problem? It appears the posturing module is also using the certificate on my ISE node tied to admin (not just portal). The cert tied to admin is from my internal PKI. Does this mean I have to change that certificate as well for admin?
You have a choice. If you're only doing posture on managed machines, then you can push the certificate chain and make the endpoints trust the existing ISE admin cert.
If you're posturing machines that you do not manage, then a well known CA signed certificate is required on both the admin and portal. You can either get this cert issued for the current FQDNs, or you could move you ISE nodes to the same domain as your wildcard.
You can have two difference public signed certs assigned, one for admin, another for the portal, but this of course comes with a cost. All that matters is that the endpoints trust them.
Thank you everyone for your feedback. Do you know if it is possible to add a .local DNS name in the SAN field for the wildcard cert?
If not will have to ask systems team to spin up a new domain as the wildcard cert only exists 'publicly'.
The issue is that the machines are not part of the domain so getting the root/intermediary cert in their trusted store is a manual process. We do that already but for domain connected PCs via GPO.