08-05-2017 01:45 AM
I am working on a PoV for ISE2.2 posture. Client(windows7) gets redirected link of posture provision portal, downloads and install anyconect. The whole process is running well and no warning and error are seen. As a result, there is no ISE posture module installed. Only anyconnect secure mobility client and ISE compliance module are installed. I am sure I see ISE posture module downloading and installing from my screen.
I have no clue why it happened like this. Any suggestion on what shall we do next for this issue?
Shall I manually install ISE posture module and copy a ISEPostureCFG.xml file from my lab environment to make posture module work?
br,
Xin
Solved! Go to Solution.
08-11-2017 08:40 AM
When I put "VeriSign Universal Root Certification Authority" to machine certificate store, the issue is fixed.
08-05-2017 11:28 AM
It seems you are hitting an issue that I ran into earlier this year, especially if you are in a lab setup and if the AnyConnect is of 4.4.2034 (4.4 MR2) or later.
It is because the code signing certificate for AnyConnect has switched to SHA-2 and because the lab Windows 7 has not been updated to trust the CA for the SHA-2 code signing certificate.
You may either
08-06-2017 07:19 PM
Thanks, Lai.
When I try to install patch KB3033939, it showed me that this patch has been installed.
So I want to try to use Anyconnect 4.4 MR1 or earlier. But in the cisco website, only 4.4.2034 and later is available to download for 4.x version. Also only 3.1.14018 is available to download for 3.x version and it seems no windows web-deploy package is available.
br,
Xin
08-07-2017 04:04 PM
On the windows 7 client, use mmc to verify the Trusted Root Certificates for the admin user and the local computer accounts both included the certificates shown in the screenshot attached, except for root-CA, which is a private MS CA used in our lab setup.
You may also use eventvwr to see AnyConnect events. Last time I had this install issue, my PC VM was missing "VeriSign Universal Root Certification Authority”.
You might want to get the PC up-to-date with all Windows patches.
If none helping, then generate a DART file and open a TAC case.
Another option is to use ISE 2.3 and try the new Temporal Agent.
08-11-2017 08:40 AM
When I put "VeriSign Universal Root Certification Authority" to machine certificate store, the issue is fixed.
08-11-2017 06:29 PM
Thanks a lot for the update and the info.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide