We’re implementing a script-based posture condition in Cisco ISE to check domain join status on endpoints.

As part of this setup, we’ve added the SHA-256 fingerprint of the ISE PSN's portal certificate into the AnyConnectLocalPolicy.xml file on the endpoint, under the <TrustedISECertFingerprints> section.We followed documents:

1. https://clicksolution.in/cisco-ise-posture-script-condition/#:~:text=Cisco%20ISE%20posture%20script%20condition%20%E2%80%93%20Script%20Condition,%3E%20Script%20Conditions%20%E2%80%93%20Click%20Add.

2. https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_compliance.html#Cisco_Task.dita_3ff92f79-ae85-46c1-b4c3-110c57530249

However, when the Secure Client attempts to contact the policy server, we receive the following error:

"Failed to connect to the policy server. Contact your administrator."

Interestingly, when we remove the fingerprint from the XML file, the client is able to connect to the policy server, but the script condition fails .

---

 

 

AnnyconnectLocalPolicy.xml:

 

We’ve verified:

• The SHA-256 fingerprint is correct and copied directly from the ISE portal certificate (used by the PSN).

• The fingerprint is in the correct format

• The AnyConnectLocalPolicy.xml file is saved correctly in C:\ProgramData\Cisco\Cisco Secure Client\

Has anyone else faced this behavior? Why is the fingerprint causing the agent not be able to contact the policy server ?Could there be any additional certificate trust validation steps we are missing? Or is there a known issue with script condition trust enforcement in ISE 3.x?
Note: We do not want to install certificates on Client.

Appreciate any insights or troubleshooting suggestions!

Thanks,
Vishnu