Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3840
Views
15
Helpful
6
Replies

ISE Anyconnect Posture module untrusted certificate

ryan14
Level 1
Level 1

‎05-14-2021 12:25 PM

I have an issue where I am trying to connect a Win10 machine using AnyConnect with Posture module and I am getting a certificate error stating it doesn't trust the cert assigned to my ISE admin node. The client provisioning portal loads (https://fqdn:8443) from the Win10 machine using my browser with no certificate errors. How do I go about solving this problem? It appears the posturing module is also using the certificate on my ISE node tied to admin (not just portal). The cert tied to admin is from my internal PKI. Does this mean I have to change that certificate as well for admin?

 

Preview file
114 KB
0 Helpful
6 Replies 6

Damien Miller
VIP Alumni
VIP Alumni

‎05-14-2021 01:14 PM

You're on the right path, both the Admin and Portal cert are presented to the client during the posture process. You'll need a public cert on both of those that the unmanaged endpoints trust. 

0 Helpful

ryan14
Level 1
Level 1
In response to Damien Miller

‎05-14-2021 01:27 PM

Thank you. So does that mean I need to change my ISE system domain names (PAN and PSN) to match the domain used in the wildcard certificate (which is currently used for portal)?

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to ryan14

‎05-14-2021 04:55 PM

You have a choice. If you're only doing posture on managed machines, then you can push the certificate chain and make the endpoints trust the existing ISE admin cert. 

If you're posturing machines that you do not manage, then a well known CA signed certificate is required on both the admin and portal. You can either get this cert issued for the current FQDNs, or you could move you ISE nodes to the same domain as your wildcard. 

You can have two difference public signed certs assigned, one for admin, another for the portal, but this of course comes with a cost. All that matters is that the endpoints trust them. 

ryan14
Level 1
Level 1
In response to Damien Miller

‎05-17-2021 05:34 AM

Thank you everyone for your feedback. Do you know if it is possible to add a .local DNS name in the SAN field for the wildcard cert?

 

If not will have to ask systems team to spin up a new domain as the wildcard cert only exists 'publicly'.

 

The issue is that the machines are not part of the domain so getting the root/intermediary cert in their trusted store is a manual process. We do that already but for domain connected PCs via GPO.

0 Helpful

Romzy
Cisco Employee
Cisco Employee

‎05-14-2021 04:44 PM - edited ‎05-14-2021 04:44 PM

Have the root CA (and intermediate CAs if any) of your ISE admin cert imported in your client's trusted store. Both admin and portal certs are presented during Posture flow.

Peter Koltl
Level 7
Level 7

‎05-19-2021 11:49 AM

We have enterprise admin certificate and commercial portal certificate on 2.4 and posture on the external clients work without warnings.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents