cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1177
Views
1
Helpful
3
Replies
klanard
Beginner

AnyConnect NAM/ISE Posture Agent

Is it possible to install a self-signed certificate from an ISE PSN Node to a client PC running Anyconnect so things like VPN, NAM, and most importantly ISE Posture Assessment module will trust it without clicking 'Connect Anyway'.  ? I have tried to install the ceritficate in the local store from the ISE Admin GUI but its still prompting for trust.  Is there a surefire way to install and automatically trust the self-signed certificate from ISE PSN Nodes to local PCs os they dont need to click 'Connect Anyway' every time their client connects to the LAN and is checked for posture complaince? I understand already we can buy a signed certificate but this is a Proof-of-Concept deployment and the certs arent going to be avaiable for a while. For testing with end-users we'd like to not require them to click 'Connect Anyway' 3 times everytime they connect to the LAN Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

If the client machines are domain computers, then it's good to use Microsoft CA services as the PKI as the root CA certificates might get installed after domain join. Also, ensure the hostname/FQDN matching either the subject or the subject alternative names. If installing a self-signed certificate, it needs to go to trusted root certificates.

View solution in original post

3 REPLIES 3
Jason Kunst
Cisco Employee

I would recommend asking in the anyconnect forum on anyconnect specific issues

Here is a list

https://communities.cisco.com/community/technology/security/pa

I will move it as well

hslai
Cisco Employee

If the client machines are domain computers, then it's good to use Microsoft CA services as the PKI as the root CA certificates might get installed after domain join. Also, ensure the hostname/FQDN matching either the subject or the subject alternative names. If installing a self-signed certificate, it needs to go to trusted root certificates.

View solution in original post

Hi We have imported internal CA cert on primary and secondary ISE and still we are getting same certificate issue for posture agent.

But i observed certificate issue only for secondary ISE.

 

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad