cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2491
Views
15
Helpful
8
Replies

ISE - posture fails

kpanduric
Level 1
Level 1

Hello,

I have a problem at the posture checking phase. NAC agent fails to check for posture compliance and remediation never takes place. The client browser is beeing redirected to the following URL: https://ise.xxxx.yy:8443/guestportal/gateway?sessionId=AC16FA49000000778BF9058D&action=cpp, and then to https://ise.xxxx.yy:8443/auth/provisioning/evaluate (shown below)

ise_posturefail.png

Obviously there is a problem on ISE box, missing something. What could be the cause of the problem?

Best regards,

Kreso

8 Replies 8

vikasyad
Level 1
Level 1

Please review the below link which might be  helpful:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html

Hello Vikas,

thank you for the hint.

I have followed the procedure several times but still have the issue.

The TAC case has been opened and for two months I have received only few replies. The problem could be in the certificate issued by the local CA on the AD domain, but as I have not received neither solution nor workaround I can't move forward.

Regards,

K

hi kreso,

Have you got solution from TAC. I also face same issue.

Hi,

Try using self signed certificate that will clear the picture.

Regards
Pankaj

Hi Pankaj,

The problem got solved, it was the issue of CA Certificate . Thanks for your quick response.

Regards

Najeeb

Hi Mohammed,

as the TAC engineer and developer said, the problem is in the CA root certificate that was imported in DER format.

Try exporting the root CA certificate (not the one issued to the ISE node by the CA,  but the one that is in the Certificate Store), convert it from PKCS#7,DER to X509,PEM format, delete the old CA root cert and import the one you just got as a result of conversion.

You will need some Linux/UNIX box with OpenSSL tools installed. Suppose you exported the original cert to file named cert1.pem, when you try to read it using the following command, you get an error:

     # openssl x509 -in cert1.pem -inform DER -text

     unable to load certificate

following some ASN error messages. To convert it use the following command:

     openssl pkcs7 -inform der -in cert1.pem -print_certs > cert2.pem

Now you can read cert data using the command:

     openssl x509 -inform pem -in cert2.pem -noout -text

The file cert2.pem is the one that should be imported as a root CA certificate into the Certificate Store on ISE.

HTH,

Kreso

Hi Kreso,

Thanks for your valuable input, problem got solved now. Instead of using openssl we re issued the CA certificate from the local CA and uploaded to ISE ceritification store. The issue was with the old CA certificate.

Thanks alot.

Regards

Najeeb