cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1642
Views
1
Helpful
3
Replies

AnyConnect NAM/ISE Posture Agent

klanard
Level 1
Level 1

Is it possible to install a self-signed certificate from an ISE PSN Node to a client PC running Anyconnect so things like VPN, NAM, and most importantly ISE Posture Assessment module will trust it without clicking 'Connect Anyway'.  ? I have tried to install the ceritficate in the local store from the ISE Admin GUI but its still prompting for trust.  Is there a surefire way to install and automatically trust the self-signed certificate from ISE PSN Nodes to local PCs os they dont need to click 'Connect Anyway' every time their client connects to the LAN and is checked for posture complaince? I understand already we can buy a signed certificate but this is a Proof-of-Concept deployment and the certs arent going to be avaiable for a while. For testing with end-users we'd like to not require them to click 'Connect Anyway' 3 times everytime they connect to the LAN Thanks!

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

If the client machines are domain computers, then it's good to use Microsoft CA services as the PKI as the root CA certificates might get installed after domain join. Also, ensure the hostname/FQDN matching either the subject or the subject alternative names. If installing a self-signed certificate, it needs to go to trusted root certificates.

View solution in original post

3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

I would recommend asking in the anyconnect forum on anyconnect specific issues

Here is a list

https://communities.cisco.com/community/technology/security/pa

I will move it as well

hslai
Cisco Employee
Cisco Employee

If the client machines are domain computers, then it's good to use Microsoft CA services as the PKI as the root CA certificates might get installed after domain join. Also, ensure the hostname/FQDN matching either the subject or the subject alternative names. If installing a self-signed certificate, it needs to go to trusted root certificates.

Hi We have imported internal CA cert on primary and secondary ISE and still we are getting same certificate issue for posture agent.

But i observed certificate issue only for secondary ISE.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: