Solved: Secure client Certificate error with cisco ise posture

jperez netics · ‎10-02-2023

i currently have an enviroment where i have a DC, with CA role, and a cisco ISE with EAP authentication and portals working just fine, but when i do posture with cisco secure client ISE posture, i get an issue with the certificate that says "Certificate is not identified for this purpose"

I was searching over the internet for this problem and could not find the solution

I am using the same certificate for EAP authentication, portal, and admin, the cert is from a private CA and the certificate chain is distributed over the endpoints that i'm trying to posture

The ISE certificate EKU are "server authentication" and "client authentication" because it is multi purpose

I don't know if i am missing a certificate attribute or an ISE configuration because it only happens on posture, the certificate is only untrusted on posture

only for clarification, if i disable the option "block connections to untrusted servers" in Cisco Secure Client, i can posture with the warning showing every time

jperez netics · ‎10-03-2023

after a series of tests, i figured out the additional certificate requirements for Posture

For certificate trust:

Proper CN and SAN
Proper certificate chain on the endpoint

For use with ISE in general

include the following EKU's:

Server authentication
Client authentication

And finally, for trusting in Anyconnect downloader

include the following KU's:

Non-repudiation
Key encipherment
Digital Signature

i figured it out after comparing the Self signed certificates from the ISE itself vs the Certificate signed by my internal CA (microsoft)

View solution in original post

Milos_Jovanovic · ‎10-02-2023

Hi @jperez netics,

You need to take a look into DART file, to understand from where does this message comes. If I would need to guess, I would say it is from Client Provisioning Portal - portal responsible to push necessary software and profiles to your PC when posturing. Go there and check which certificate you are using. Error message is about certificate being untrusted, meaning it is not related to attributes (KU, EKU, and similar) but rather for domains it signs.

Kind regards,

Milos

jperez netics · ‎10-03-2023

Hi, i'm using the same certificate that i use for EAP auth, in fact, the client provisioning portal certificate is trusted in my browser, the warning only happens with the client, that's why i'm thinking that it can be a misconfiguration

the only thing that i found so far on dart logs regarding certs is this:

Function: LocalPolicy::GetTrustedISECertFingerprints
Thread Id: 0x8A0
File: LocalPolicy.cpp
Line: 83
Level: warn

XML exception: {1, missing key 'TrustedISECertFingerprints'}.

Function: HttpConnection::initializeTrustedISECertFingerprintsVec
Thread Id: 0x8A0
File: HttpConnection.cpp
Line: 861
Level: info

TrustedISECertFingerprints tag not found.

but i still don't know where i'm i wrong

Milos_Jovanovic · ‎10-03-2023

Can you check configuration of "AnyConnectLocalPolicy.xml" under "C:\ProgramData\Cisco\Cisco Secure Client\"? There is a section related to CertificateTrust, and also for allowed servers.

Also, please check this post.