Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4551
Views
5
Helpful
4
Replies

Wireless Anyconnect Posture failure

Go to solution
pcno
Level 1
Level 1

‎07-14-2020 09:31 AM

Hi ,

I am trying to do a wireless posture system scan via Anyconnect everything is configured as per the document, I got the redirect page and it downloads and installs the Anyconnect software but after installation, it doesn't start the system scan.
In the log, it says Unauthorised policy server. In the Posture folder .XML file I can see my ISE IP & the Profile name.

I am attaching all screenshots.
Please tell me how to fix this error.

Thanks

1 person had this problem
Preview file
116 KB
Preview file
89 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-14-2020 10:31 AM

From AC documentation: Unauthorized policy server—The host does not match the server name rule of the ISE network so there is limited or no network access.
AFAIK I think there could be a discrepancy between your ise posture profile config server name rule and the ISE cert. Are you able to test and modify the server name rule to just include '*' to see if it will work? Can you share how your cert is setup? Is your server name identified at the bottom of the chain? If using a wildcard like your server name rule depicts is the cert a wildcard cert with the psn hostnames as configured as SAN?

View solution in original post

4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-14-2020 10:31 AM

From AC documentation: Unauthorized policy server—The host does not match the server name rule of the ISE network so there is limited or no network access.
AFAIK I think there could be a discrepancy between your ise posture profile config server name rule and the ISE cert. Are you able to test and modify the server name rule to just include '*' to see if it will work? Can you share how your cert is setup? Is your server name identified at the bottom of the chain? If using a wildcard like your server name rule depicts is the cert a wildcard cert with the psn hostnames as configured as SAN?

Go to solution
pcno
Level 1
Level 1
In response to Mike.Cifelli

‎07-14-2020 10:50 AM - edited ‎07-14-2020 10:57 AM

Thank you, Mike, for the quick reply I am using *.domain.com and getting this error. Please check the attached screenshot, it has all config details.
ISE20.DOMAIN.COM is the cert common name there isn't any SAN field & .205 is the IP of my ISE (Version 2.4).

This default cert is already kept in the client computer trusted store as well.

Thanks
Priyesh

Preview file
22 KB
Preview file
178 KB
Preview file
64 KB
Preview file
72 KB
Preview file
44 KB
Preview file
41 KB
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to pcno

‎07-15-2020 05:30 AM

Try changing your server name rule to: ISE20.DOMAIN.COM and testing the overall setup. I suspect that in order to get this working as you are expecting with the server name rule you may need a new cert.
0 Helpful

Go to solution
pcno
Level 1
Level 1
In response to Mike.Cifelli

‎07-16-2020 05:28 AM

I tried putting * and it worked earlier I was trying *.Domain.com now by simply putting a * without any domain name it worked.

Thank you for your help.

0 Helpful
Customers Also Viewed These Support Documents