Solved: ISE posture module is not installed during posture provision

xili5 · ‎08-05-2017

I am working on a PoV for ISE2.2 posture. Client(windows7) gets redirected link of posture provision portal, downloads and install anyconect. The whole process is running well and no warning and error are seen. As a result, there is no ISE posture module installed. Only anyconnect secure mobility client and ISE compliance module are installed. I am sure I see ISE posture module downloading and installing from my screen.

I have no clue why it happened like this. Any suggestion on what shall we do next for this issue?

Shall I manually install ISE posture module and copy a ISEPostureCFG.xml file from my lab environment to make posture module work?

br,

Xin

xili5 · ‎08-11-2017

When I put "VeriSign Universal Root Certification Authority" to machine certificate store, the issue is fixed.

View solution in original post

hslai · ‎08-05-2017

It seems you are hitting an issue that I ran into earlier this year, especially if you are in a lab setup and if the AnyConnect is of 4.4.2034 (4.4 MR2) or later.

It is because the code signing certificate for AnyConnect has switched to SHA-2 and because the lab Windows 7 has not been updated to trust the CA for the SHA-2 code signing certificate.

You may either

run Windows Updates to ensure the Windows 7 client are up-to-date, or
install Microsoft KB3033929, which provides SHA-2 code signing support for Windows 7 <https://www.microsoft.com/en-us/download/details.aspx?id=46148>, or
use AnyConnect 4.4 MR1 or earlier.

xili5 · ‎08-06-2017

Thanks, Lai.

When I try to install patch KB3033939, it showed me that this patch has been installed.

So I want to try to use Anyconnect 4.4 MR1 or earlier. But in the cisco website, only 4.4.2034 and later is available to download for 4.x version. Also only 3.1.14018 is available to download for 3.x version and it seems no windows web-deploy package is available.

br,

Xin

hslai · ‎08-07-2017

On the windows 7 client, use mmc to verify the Trusted Root Certificates for the admin user and the local computer accounts both included the certificates shown in the screenshot attached, except for root-CA, which is a private MS CA used in our lab setup.

You may also use eventvwr to see AnyConnect events. Last time I had this install issue, my PC VM was missing "VeriSign Universal Root Certification Authority”.

You might want to get the PC up-to-date with all Windows patches.

If none helping, then generate a DART file and open a TAC case.

Another option is to use ISE 2.3 and try the new Temporal Agent.

xili5 · ‎08-11-2017

When I put "VeriSign Universal Root Certification Authority" to machine certificate store, the issue is fixed.

hslai · ‎08-11-2017

Thanks a lot for the update and the info.