cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1972
Views
0
Helpful
4
Replies

ISE Posture Anyconnect error

Jinkle Jose
Cisco Employee
Cisco Employee

Hi Experts, 

 

 I have a customer who is performing Posture in windows machines. When the posture starts it gives an error that the server is not trusted. 

We are using a CA signed cert for all the portals. (ISE FQDN in CN)

Admin and BYOD portal-only uses Self Signed Cert. (ISE FQDN in CN)

posture.xml file we have added the ISE FQDNs in the call-home.

CA Root cert is present in the PC Trusted store.

 

When the posture starts the redirect-url will have the FQDN present and ISE provides the CPP cert which is CA-signed and hence we should not get this error.

Is my understanding correct? 

 

 

4 Replies 4

Hi,

does your admin certificate have those FQDN entered in the as a SAN name for those portals?

 

As the intial request goes to FQDN of ISE and then re-directs from there.

 

In the ISE1 Admin Cert -- which is the Self Signed one, we have the wildcard in the SAN, and FQDN in CN

 

Eg :

CN : abc-01.cisco.com

 

SAN: DNS: *.cisco.com

Jinkle Jose
Cisco Employee
Cisco Employee

I also notice a behaviour that when the error comes in anyconnect, it states IP address instead of FQDN, which can cause the issue. Where is the IP address taken from? cos URL, and Posture.xml has the FQDN ?

Nidhi
Cisco Employee
Cisco Employee

Same issue has been discussed here with a workaround- https://community.cisco.com/t5/identity-services-engine-ise/anyconnect-posture-certificate-error/td-p/3580733

 

Thanks,

Nidhi