https://community.cisco.com/t5/network-access-control/synchronize-database-into-cisco-ise/m-p/3812479#M484699 <P>When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube).&nbsp; That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.</P> <P>&nbsp;</P> <P>The issue you're describing seems to be with the secondary PAN registration.&nbsp; If you don't have certificate trust&nbsp; between the two servers then the registration will fail.</P> <P>The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server).&nbsp; &nbsp;Then install the PKI CA cert chain on ALL of your ISE nodes.&nbsp; Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).</P> <P>Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.</P> <P>Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.</P> <P>&nbsp;</P> Fri, 01 Mar 2019 12:46:33 GMT Arne Bier 2019-03-01T12:46:33Z https://community.cisco.com/t5/network-access-control/synchronize-database-into-cisco-ise/m-p/3812324#M484696 <P>Hello guys,&nbsp;</P><P>&nbsp;</P><P>I have a problem...</P><P>I need to create a synchronize database betewen two serveur ISE (ISE1 Primary server and ISE2 secondary server).</P><P>&nbsp;</P><P>More precisely, i&nbsp;would like the identities&nbsp; create on my ISE1 server to be automatically replicated to the ISE2 server.</P><P>&nbsp;</P><P><SPAN>I have already imported the certificates and activated the option "<EM>Trust for authentication within ISE</EM>" But an error message occurs....</SPAN></P><P>&nbsp;</P><P><EM>"Unable to authenticate ISE SGISE02.tiretech.contiwan.com. Please check server and CA certificate configuration and make sure 'Trust for authentication within ISE' option is selected."</EM></P><P>&nbsp;</P><P><EM>Thx you....</EM></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Mar 2019 07:37:08 GMT https://community.cisco.com/t5/network-access-control/synchronize-database-into-cisco-ise/m-p/3812324#M484696 Etlicher 2019-03-01T07:37:08Z https://community.cisco.com/t5/network-access-control/synchronize-database-into-cisco-ise/m-p/3812479#M484699 <P>When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube).&nbsp; That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.</P> <P>&nbsp;</P> <P>The issue you're describing seems to be with the secondary PAN registration.&nbsp; If you don't have certificate trust&nbsp; between the two servers then the registration will fail.</P> <P>The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server).&nbsp; &nbsp;Then install the PKI CA cert chain on ALL of your ISE nodes.&nbsp; Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).</P> <P>Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.</P> <P>Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.</P> <P>&nbsp;</P> Fri, 01 Mar 2019 12:46:33 GMT https://community.cisco.com/t5/network-access-control/synchronize-database-into-cisco-ise/m-p/3812479#M484699 Arne Bier 2019-03-01T12:46:33Z