cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
606
Views
0
Helpful
7
Replies

ISE Posture Remediation - Untrusted Server

llomjaria
Level 1
Level 1

Hello,

I have configured posture on ISE 3.2. When anyconnect needs to do automatic remediation I am getting the following message:

The remediation you are attempting cannot be done as you are connected to an untrusted server.

any ideas?

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

Does the untrusted server installed any connect client or you looking client lesss ?

or is this BYOD ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I have the following flow:

1. User connect to the wifi. Enters credentials and is redirected to BYOD portal for device registration.

2. After registering the device and getting certificate and NSP, user is automatically connected to the wifi using EAP-TLS.

3. Now user is redirected to Posture portal. User downloads anyconnect and installs it. When agent tries to do remediation (for example, if Windows FW is not turned on), user gets error: "The remediation you are attempting cannot be done as you are connected to an untrusted server."

 

The client doesn't trust the certificate on ISE.  How are you adding certificate trust to ISE?  Does ISE have a private, public, or self-signed CA for admin/portal?

ISE has private CA for admin/portal. 

Yeah so this should be your issue. How will BYOD trust a private CA?

A better other forward would be to use an MDM both for device provisioning and posture checks.

During BYOD onboarding private CA's Root CA is being trusted by the endpoint + endpoint CA is generated and the endpoint is able to connect to the network with EAP-TLS.

I have problem with posture remediation. If endpoint has private CAs root CA trusted, why endpoint is getting the error:

"The remediation you are attempting cannot be done as you are connected to an untrusted server."

 

@llomjaria ISE posture assessment checks for TCP ports 8905 and 8443 (or whichever configured for ISE client provisioning portal). It also depends on the ISE posture module profile, etc. For details, see Compare ISE Posture Redirection Flow to ISE Posture Redirectionless Flow and also CiscoLive BRKSEC-3025.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: