06-08-2020 02:44 AM - edited 04-21-2021 09:43 PM
I am installing a certificate on ISE.
I added the Root_Bundle certificate to Trusted Certificates and it's time to do CSR bind.
I will try the pem file to CSR bind.
Please advise what items should be checked in the checkbox
My purpose is to prevent the Untrutsted Server message from popping up when using Anyconnect Posture.
For reference, ASA has a certificate installed.
Solved! Go to Solution.
06-08-2020 03:50 AM
You need to check the Portal option checked.
Make sure the FQDN you used is in the CN field of this cert.
06-09-2020 10:21 PM
I assume you are using Portal webpage on the configured port.
the default ADMIN certificate did you put a SAN name with an IP address.
Because when the portal redirection happens it goes to the ISE then it goes for redirect to the posture.
I could be that reason firstly.
Secondly the certificate for the Portal what did you use as CN and SAN you can view that from ISE for the Portal
The issue is the way the certificates were installed mostly thats why you are getting this issue.
06-08-2020 03:50 AM
You need to check the Portal option checked.
Make sure the FQDN you used is in the CN field of this cert.
06-08-2020 06:00 AM
It would eap and portal.
it is suggested to CA for admin as well where your GUI is also present
06-08-2020 07:54 AM
Be careful if you choose EAP as well. Since this is for VPN authentications, EAP is not required.
If you choose EAP, then ensure that your corporate devices (doing 802.1x) are able to validate the server.
06-08-2020 08:57 AM
Hi,
Sorry if you are doing SSL VPN this certificate error is from ASA and its web page its trust point.
As stated above by Anurag i hope you are already using EAP for user as well with the corporate certificate
06-08-2020 04:46 PM
06-08-2020 09:24 PM
Hi,
Sorry for the confusion lets just sort it out Anurag and me we are trying to just help.
Question 1:- 172.30.1.55 --> is this an ISE IP address?
Question 2:- did you create a wildcard certificate for this or is it a Local CA certificate?
Question 3:- As you said you are using Anyconnect Posture ? are you dong Dot1x authentication?
Posture technically only requires a portal page certificate but dependency is on the other things as well.
Are you doing Posture you have to do Dot1x authentication as well through the ISE.
please let us know your complete requirement?
06-08-2020 10:00 PM
Regarding this statement - "Are you doing Posture you have to do Dot1x authentication as well through the ISE.". This is not true if Posture is being done for VPN clients. VPN clients do normal RADIUS auth and then posture. No EAP is required.
06-08-2020 10:07 PM
I agree but he has not mentioned if he is doing VPN Posture or Dot1x then Posture?
Thats the reason asked what the complete scenario he is trying to do?
06-08-2020 10:45 PM
Yep, I believe it's a continuation from the post they made before this. See:
06-08-2020 10:03 PM
Please mark Portal and test it out. If testing goes well, you don't need to do anything.
You can move the service (Portal, EAP, etc.) from one certificate to another even after certificate has been imported, if required.
06-09-2020 03:07 AM
@Anurag Sharma then yes thats there.
@JustTakeTheFirstStep if you are doing the posture for Any connect users VPN then Portal has to be with the correct certificate. Just make sure you using a Portal tag in the same web-page for the Posture Page so you wont get that error.
06-09-2020 07:10 AM - edited 04-26-2021 12:46 AM
@saxenanitesh8522 , @Anurag Sharma
Thank you very much for the two people who were interested in my question.
I seem to have solved one of the certificate messages using the Portal option.
Before the left is after the right.
When Posture is running, connecting to a domain other than IP seems to solve all my problems.
What additional settings do I need to resolve to "certificate does not match the server name"??
Please refer to the attached file.
06-09-2020 07:50 AM
Is this the first time you are connecting?
Is the posture XML file already present on the machine?
In the Authorization profile for 'Posture_Unknown' state, make sure you have not chosen the Static IP/Host Name/FQDN option is unchecked.
06-09-2020 10:21 PM
I assume you are using Portal webpage on the configured port.
the default ADMIN certificate did you put a SAN name with an IP address.
Because when the portal redirection happens it goes to the ISE then it goes for redirect to the posture.
I could be that reason firstly.
Secondly the certificate for the Portal what did you use as CN and SAN you can view that from ISE for the Portal
The issue is the way the certificates were installed mostly thats why you are getting this issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: