cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
749
Views
1
Helpful
3
Replies
Highlighted
Beginner

AnyConnect NAM/ISE Posture Agent

Is it possible to install a self-signed certificate from an ISE PSN Node to a client PC running Anyconnect so things like VPN, NAM, and most importantly ISE Posture Assessment module will trust it without clicking 'Connect Anyway'.  ? I have tried to install the ceritficate in the local store from the ISE Admin GUI but its still prompting for trust.  Is there a surefire way to install and automatically trust the self-signed certificate from ISE PSN Nodes to local PCs os they dont need to click 'Connect Anyway' every time their client connects to the LAN and is checked for posture complaince? I understand already we can buy a signed certificate but this is a Proof-of-Concept deployment and the certs arent going to be avaiable for a while. For testing with end-users we'd like to not require them to click 'Connect Anyway' 3 times everytime they connect to the LAN Thanks!

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: AnyConnect NAM/ISE Posture Agent

If the client machines are domain computers, then it's good to use Microsoft CA services as the PKI as the root CA certificates might get installed after domain join. Also, ensure the hostname/FQDN matching either the subject or the subject alternative names. If installing a self-signed certificate, it needs to go to trusted root certificates.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: AnyConnect NAM/ISE Posture Agent

I would recommend asking in the anyconnect forum on anyconnect specific issues

Here is a list

https://communities.cisco.com/community/technology/security/pa

I will move it as well

Highlighted
Cisco Employee

Re: AnyConnect NAM/ISE Posture Agent

If the client machines are domain computers, then it's good to use Microsoft CA services as the PKI as the root CA certificates might get installed after domain join. Also, ensure the hostname/FQDN matching either the subject or the subject alternative names. If installing a self-signed certificate, it needs to go to trusted root certificates.

View solution in original post

Highlighted

Re: AnyConnect NAM/ISE Posture Agent

Hi We have imported internal CA cert on primary and secondary ISE and still we are getting same certificate issue for posture agent.

But i observed certificate issue only for secondary ISE.