Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
1
Helpful
3
Replies

Windows Certificate Store for AnyConnect ISE Posture Module

Go to solution
Daniel Stefani
Level 1
Level 1

‎01-16-2024 01:18 PM

Hi, 

I would like to know where AnyConnect ISE Posture Module look for certificate when is communicating with ISE PSN(Policy Server).

ISE Certificate it's signed by Corporate Root CA.

Should I need to import Corporate Root Certificate on Personal or Machine Store in Windows 10 workstation?

 

Best Regards,

Daniel Stefani

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-16-2024 01:23 PM - edited ‎01-16-2024 01:28 PM

@Daniel Stefani import the root certificate of the Corporate Root CA in to the machine Trusted Root Certificate Authority store on the computer to ensure trust with the ISE certificate.

If this an Active Directory environment and the Corporate Root CA is MS AD CA then it's likely the Windows GPO will have deployed the root CA to the domain join computers.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎01-16-2024 01:23 PM - edited ‎01-16-2024 01:28 PM

@Daniel Stefani import the root certificate of the Corporate Root CA in to the machine Trusted Root Certificate Authority store on the computer to ensure trust with the ISE certificate.

If this an Active Directory environment and the Corporate Root CA is MS AD CA then it's likely the Windows GPO will have deployed the root CA to the domain join computers.

Go to solution
Daniel Stefani
Level 1
Level 1
In response to Rob Ingram

‎01-17-2024 04:28 AM

Thank you @Rob Ingram, Do you know if Cisco has some documentation explaining about this ?

In my scenario, the customer is enforcing ISE Posture for partners conecting by VPN. Partners must install AC ISE Posture module. Some partners does not have admin privilege in it's Windows Machine, so, they can´t install Root Certificate(corporate) in Machine Store. In this case, we can work in two ways, customer can provide a Public Certificate for CP Portal, or third partners with no admin priv, need to ask for their IT Team install Corp Root Cert in machine Store.

Anyway, thank you for your help.

Best Regards,

Daniel Stefani

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Daniel Stefani

‎01-17-2024 05:09 AM

@Daniel Stefani ok in that case they can install the corporate root certificate in the user Trusted Root Certificate Authority if they don't have access to the machine certificate store. This will mean only that user has that root certificate installed, but at least that user will trust the certificate.

0 Helpful
Customers Also Viewed These Support Documents