Re: ISE Posture Anyconnect error

Jinkle Jose · ‎03-20-2019

Hi Experts,

I have a customer who is performing Posture in windows machines. When the posture starts it gives an error that the server is not trusted.

We are using a CA signed cert for all the portals. (ISE FQDN in CN)

Admin and BYOD portal-only uses Self Signed Cert. (ISE FQDN in CN)

posture.xml file we have added the ISE FQDNs in the call-home.

CA Root cert is present in the PC Trusted store.

When the posture starts the redirect-url will have the FQDN present and ISE provides the CPP cert which is CA-signed and hence we should not get this error.

Is my understanding correct?

saxenanitesh8522 · ‎03-20-2019

Hi,

does your admin certificate have those FQDN entered in the as a SAN name for those portals?

As the intial request goes to FQDN of ISE and then re-directs from there.

Jinkle Jose · ‎03-21-2019

In the ISE1 Admin Cert -- which is the Self Signed one, we have the wildcard in the SAN, and FQDN in CN

Eg :

CN : abc-01.cisco.com

SAN: DNS: *.cisco.com

Jinkle Jose · ‎03-21-2019

I also notice a behaviour that when the error comes in anyconnect, it states IP address instead of FQDN, which can cause the issue. Where is the IP address taken from? cos URL, and Posture.xml has the FQDN ?

Nidhi · ‎03-22-2019

Same issue has been discussed here with a workaround- https://community.cisco.com/t5/identity-services-engine-ise/anyconnect-posture-certificate-error/td-p/3580733

Thanks,

Nidhi