Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2167
Views
15
Helpful
8
Replies

ISE - posture fails

kpanduric
Level 1
Level 1

‎01-30-2013 06:10 AM - edited ‎03-10-2019 08:02 PM

Hello,

I have a problem at the posture checking phase. NAC agent fails to check for posture compliance and remediation never takes place. The client browser is beeing redirected to the following URL: https://ise.xxxx.yy:8443/guestportal/gateway?sessionId=AC16FA49000000778BF9058D&action=cpp, and then to https://ise.xxxx.yy:8443/auth/provisioning/evaluate (shown below)

ise_posturefail.png

Obviously there is a problem on ISE box, missing something. What could be the cause of the problem?

Best regards,

Kreso

1 person had this problem
Labels:
0 Helpful
8 Replies 8

vikasyad
Level 1
Level 1

‎05-14-2013 04:20 PM

Please review the below link which might be  helpful:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html

0 Helpful

kpanduric
Level 1
Level 1
In response to vikasyad

‎05-17-2013 01:56 AM

Hello Vikas,

thank you for the hint.

I have followed the procedure several times but still have the issue.

The TAC case has been opened and for two months I have received only few replies. The problem could be in the certificate issued by the local CA on the AD domain, but as I have not received neither solution nor workaround I can't move forward.

Regards,

K

0 Helpful

Najeeb Mohammad
Level 1
Level 1
In response to kpanduric

‎07-04-2013 12:39 AM

hi kreso,

Have you got solution from TAC. I also face same issue.

0 Helpful

pankaj29in
Level 1
Level 1
In response to Najeeb Mohammad

‎07-04-2013 12:59 AM

Hi,

Try using self signed certificate that will clear the picture.

Regards
Pankaj

Najeeb Mohammad
Level 1
Level 1
In response to pankaj29in

‎07-04-2013 08:23 AM

Hi Pankaj,

The problem got solved, it was the issue of CA Certificate . Thanks for your quick response.

Regards

Najeeb

0 Helpful

kpanduric
Level 1
Level 1
In response to Najeeb Mohammad

‎07-04-2013 03:15 AM

Hi Mohammed,

as the TAC engineer and developer said, the problem is in the CA root certificate that was imported in DER format.

Try exporting the root CA certificate (not the one issued to the ISE node by the CA,  but the one that is in the Certificate Store), convert it from PKCS#7,DER to X509,PEM format, delete the old CA root cert and import the one you just got as a result of conversion.

You will need some Linux/UNIX box with OpenSSL tools installed. Suppose you exported the original cert to file named cert1.pem, when you try to read it using the following command, you get an error:

     # openssl x509 -in cert1.pem -inform DER -text

     unable to load certificate

following some ASN error messages. To convert it use the following command:

     openssl pkcs7 -inform der -in cert1.pem -print_certs > cert2.pem

Now you can read cert data using the command:

     openssl x509 -inform pem -in cert2.pem -noout -text

The file cert2.pem is the one that should be imported as a root CA certificate into the Certificate Store on ISE.

HTH,

Kreso

Najeeb Mohammad
Level 1
Level 1
In response to kpanduric

‎07-04-2013 08:22 AM

Hi Kreso,

Thanks for your valuable input, problem got solved now. Instead of using openssl we re issued the CA certificate from the local CA and uploaded to ISE ceritification store. The issue was with the old CA certificate.

Thanks alot.

Regards

Najeeb

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents