Solved: Re: What should be checked in the Usage checkbox when CSR binds?

JustTakeTheFirstStep · ‎06-08-2020

I am installing a certificate on ISE.

I added the Root_Bundle certificate to Trusted Certificates and it's time to do CSR bind.

I will try the pem file to CSR bind.

Please advise what items should be checked in the checkbox

My purpose is to prevent the Untrutsted Server message from popping up when using Anyconnect Posture.

For reference, ASA has a certificate installed.

Anurag Sharma · ‎06-08-2020

Hi @JustTakeTheFirstStep ,

You need to check the Portal option checked.

Make sure the FQDN you used is in the CN field of this cert.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

saxenanitesh8522 · ‎06-09-2020

I assume you are using Portal webpage on the configured port.

the default ADMIN certificate did you put a SAN name with an IP address.

Because when the portal redirection happens it goes to the ISE then it goes for redirect to the posture.

I could be that reason firstly.

Secondly the certificate for the Portal what did you use as CN and SAN you can view that from ISE for the Portal

The issue is the way the certificates were installed mostly thats why you are getting this issue.

View solution in original post

Anurag Sharma · ‎06-08-2020

Hi @JustTakeTheFirstStep ,

You need to check the Portal option checked.

Make sure the FQDN you used is in the CN field of this cert.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

saxenanitesh8522 · ‎06-08-2020

It would eap and portal.

it is suggested to CA for admin as well where your GUI is also present

Anurag Sharma · ‎06-08-2020

Be careful if you choose EAP as well. Since this is for VPN authentications, EAP is not required.

If you choose EAP, then ensure that your corporate devices (doing 802.1x) are able to validate the server.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

saxenanitesh8522 · ‎06-08-2020

Hi,

Sorry if you are doing SSL VPN this certificate error is from ASA and its web page its trust point.

As stated above by Anurag i hope you are already using EAP for user as well with the corporate certificate

JustTakeTheFirstStep · ‎06-08-2020

Thank you for reply
We are not using EAP certificates.
Do I need to prepare certificates for Portal and EAP respectively for SSL VPN??
If I understand it, do I need 2 certificates??
According to Anurag Sharma, is it true to only check the Portal checkbox?
I am confused who is right.

saxenanitesh8522 · ‎06-08-2020

Hi,

Sorry for the confusion lets just sort it out Anurag and me we are trying to just help.

Question 1:- 172.30.1.55 --> is this an ISE IP address?

Question 2:- did you create a wildcard certificate for this or is it a Local CA certificate?

Question 3:- As you said you are using Anyconnect Posture ? are you dong Dot1x authentication?

Posture technically only requires a portal page certificate but dependency is on the other things as well.

Are you doing Posture you have to do Dot1x authentication as well through the ISE.

please let us know your complete requirement?

Anurag Sharma · ‎06-08-2020

@saxenanitesh8522 ,

Regarding this statement - "Are you doing Posture you have to do Dot1x authentication as well through the ISE.". This is not true if Posture is being done for VPN clients. VPN clients do normal RADIUS auth and then posture. No EAP is required.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

saxenanitesh8522 · ‎06-08-2020

@Anurag Sharma

I agree but he has not mentioned if he is doing VPN Posture or Dot1x then Posture?

Thats the reason asked what the complete scenario he is trying to do?

Anurag Sharma · ‎06-08-2020

Yep, I believe it's a continuation from the post they made before this. See:

https://community.cisco.com/t5/network-access-control/please-help-install-a-3rd-party-ca-certificate-in-ise/m-p/4099232#M561003

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Anurag Sharma · ‎06-08-2020

@JustTakeTheFirstStep ,

Please mark Portal and test it out. If testing goes well, you don't need to do anything.

You can move the service (Portal, EAP, etc.) from one certificate to another even after certificate has been imported, if required.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

saxenanitesh8522 · ‎06-09-2020

@Anurag Sharma then yes thats there.

@JustTakeTheFirstStep if you are doing the posture for Any connect users VPN then Portal has to be with the correct certificate. Just make sure you using a Portal tag in the same web-page for the Posture Page so you wont get that error.

JustTakeTheFirstStep · ‎06-09-2020

@saxenanitesh8522 , @Anurag Sharma

Thank you very much for the two people who were interested in my question.

I seem to have solved one of the certificate messages using the Portal option.

Before the left is after the right.

When Posture is running, connecting to a domain other than IP seems to solve all my problems.

What additional settings do I need to resolve to "certificate does not match the server name"??

Please refer to the attached file.

Anurag Sharma · ‎06-09-2020

Hi @JustTakeTheFirstStep

Is this the first time you are connecting?

Is the posture XML file already present on the machine?

In the Authorization profile for 'Posture_Unknown' state, make sure you have not chosen the Static IP/Host Name/FQDN option is unchecked.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

saxenanitesh8522 · ‎06-09-2020

I assume you are using Portal webpage on the configured port.

the default ADMIN certificate did you put a SAN name with an IP address.

Because when the portal redirection happens it goes to the ISE then it goes for redirect to the posture.

I could be that reason firstly.

Secondly the certificate for the Portal what did you use as CN and SAN you can view that from ISE for the Portal

The issue is the way the certificates were installed mostly thats why you are getting this issue.