cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

784
Views
15
Helpful
6
Replies
ryan14
Beginner

ISE Anyconnect Posture module untrusted certificate

I have an issue where I am trying to connect a Win10 machine using AnyConnect with Posture module and I am getting a certificate error stating it doesn't trust the cert assigned to my ISE admin node. The client provisioning portal loads (https://fqdn:8443) from the Win10 machine using my browser with no certificate errors. How do I go about solving this problem? It appears the posturing module is also using the certificate on my ISE node tied to admin (not just portal). The cert tied to admin is from my internal PKI. Does this mean I have to change that certificate as well for admin?

 

6 REPLIES 6
Damien Miller
VIP Advisor

You're on the right path, both the Admin and Portal cert are presented to the client during the posture process. You'll need a public cert on both of those that the unmanaged endpoints trust. 

Thank you. So does that mean I need to change my ISE system domain names (PAN and PSN) to match the domain used in the wildcard certificate (which is currently used for portal)?

You have a choice. If you're only doing posture on managed machines, then you can push the certificate chain and make the endpoints trust the existing ISE admin cert. 

If you're posturing machines that you do not manage, then a well known CA signed certificate is required on both the admin and portal. You can either get this cert issued for the current FQDNs, or you could move you ISE nodes to the same domain as your wildcard. 

You can have two difference public signed certs assigned, one for admin, another for the portal, but this of course comes with a cost. All that matters is that the endpoints trust them. 

Thank you everyone for your feedback. Do you know if it is possible to add a .local DNS name in the SAN field for the wildcard cert?

 

If not will have to ask systems team to spin up a new domain as the wildcard cert only exists 'publicly'.

 

The issue is that the machines are not part of the domain so getting the root/intermediary cert in their trusted store is a manual process. We do that already but for domain connected PCs via GPO.

Romzy
Cisco Employee

Have the root CA (and intermediate CAs if any) of your ISE admin cert imported in your client's trusted store. Both admin and portal certs are presented during Posture flow.

Peter Koltl
Rising star

We have enterprise admin certificate and commercial portal certificate on 2.4 and posture on the external clients work without warnings.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel