Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1772
Views
0
Helpful
7
Replies

ISE Posture Remediation - Untrusted Server

llomjaria
Level 1
Level 1

‎12-20-2023 07:15 AM

Hello,

I have configured posture on ISE 3.2. When anyconnect needs to do automatic remediation I am getting the following message:

The remediation you are attempting cannot be done as you are connected to an untrusted server.

any ideas?

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎12-20-2023 08:01 AM

Does the untrusted server installed any connect client or you looking client lesss ?

or is this BYOD ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

llomjaria
Level 1
Level 1
In response to balaji.bandi

‎12-21-2023 01:12 AM

I have the following flow:

1. User connect to the wifi. Enters credentials and is redirected to BYOD portal for device registration.

2. After registering the device and getting certificate and NSP, user is automatically connected to the wifi using EAP-TLS.

3. Now user is redirected to Posture portal. User downloads anyconnect and installs it. When agent tries to do remediation (for example, if Windows FW is not turned on), user gets error: "The remediation you are attempting cannot be done as you are connected to an untrusted server."

 

0 Helpful

ahollifield
VIP
VIP
In response to llomjaria

‎12-21-2023 06:49 AM

The client doesn't trust the certificate on ISE.  How are you adding certificate trust to ISE?  Does ISE have a private, public, or self-signed CA for admin/portal?

0 Helpful

llomjaria
Level 1
Level 1
In response to ahollifield

‎12-21-2023 10:45 PM

ISE has private CA for admin/portal. 

0 Helpful

ahollifield
VIP
VIP
In response to llomjaria

‎12-22-2023 03:53 AM

Yeah so this should be your issue. How will BYOD trust a private CA?

A better other forward would be to use an MDM both for device provisioning and posture checks.
0 Helpful

llomjaria
Level 1
Level 1
In response to ahollifield

‎12-22-2023 04:35 AM

During BYOD onboarding private CA's Root CA is being trusted by the endpoint + endpoint CA is generated and the endpoint is able to connect to the network with EAP-TLS.

I have problem with posture remediation. If endpoint has private CAs root CA trusted, why endpoint is getting the error:

"The remediation you are attempting cannot be done as you are connected to an untrusted server."

 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to llomjaria

‎12-26-2023 04:33 PM

@llomjaria ISE posture assessment checks for TCP ports 8905 and 8443 (or whichever configured for ISE client provisioning portal). It also depends on the ISE posture module profile, etc. For details, see Compare ISE Posture Redirection Flow to ISE Posture Redirectionless Flow and also CiscoLive BRKSEC-3025.

0 Helpful
Customers Also Viewed These Support Documents