https://community.cisco.com/t5/network-access-control/why-is-the-pan-ca-is-not-there/m-p/3457249#M527081 <HTML><HEAD></HEAD><BODY><P>Hi Forum,</P><P></P><P>I have 2 nodes a primary and a secondary. I'm deploying onboarding for byod but I'm having an issue where my primary PAN/PSN CA certs are not there. I check on the cli and the Cert authority service is running. See the attached image. the issue is that when users are redirected to the primary PSN for onboarding, the get an error regarding SSL session but when I disconnect the primary PSN and the user request goes to secondary PSN they work fine.</P><P></P><P>any advice is appreciated.</P></BODY></HTML> Fri, 01 Sep 2017 03:48:45 GMT ffadhilpi 2017-09-01T03:48:45Z https://community.cisco.com/t5/network-access-control/why-is-the-pan-ca-is-not-there/m-p/3457249#M527081 <HTML><HEAD></HEAD><BODY><P>Hi Forum,</P><P></P><P>I have 2 nodes a primary and a secondary. I'm deploying onboarding for byod but I'm having an issue where my primary PAN/PSN CA certs are not there. I check on the cli and the Cert authority service is running. See the attached image. the issue is that when users are redirected to the primary PSN for onboarding, the get an error regarding SSL session but when I disconnect the primary PSN and the user request goes to secondary PSN they work fine.</P><P></P><P>any advice is appreciated.</P></BODY></HTML> Fri, 01 Sep 2017 03:48:45 GMT https://community.cisco.com/t5/network-access-control/why-is-the-pan-ca-is-not-there/m-p/3457249#M527081 ffadhilpi 2017-09-01T03:48:45Z https://community.cisco.com/t5/network-access-control/why-is-the-pan-ca-is-not-there/m-p/3457250#M527082 <HTML><HEAD></HEAD><BODY><P>Check the trust certificate store and verify if see the Root CA cert.&nbsp; Depending on which node was Primary PAN at time of install, root CA may be on secondary PAN now.&nbsp; You can create repository and run export internal CA certs from CLI (under 'application configure ise') and you will see all the cert certs and chain after export in CLI.&nbsp; Check on both nodes.</P></BODY></HTML> Fri, 01 Sep 2017 12:09:49 GMT https://community.cisco.com/t5/network-access-control/why-is-the-pan-ca-is-not-there/m-p/3457250#M527082 Craig Hyps 2017-09-01T12:09:49Z https://community.cisco.com/t5/network-access-control/why-is-the-pan-ca-is-not-there/m-p/3457251#M527083 <HTML><HEAD></HEAD><BODY><P>Adding to Craig's, it appears that your deployment's primary PAN changed the hostname before, because the common name of the root CA looks differently from either node.</P><P></P><P>As you are going to change the hostname again, I would suggest you to go ahead doing that and then replace the internal CA certificates, which will be single-root. See <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#task_FF93B4C51BAC4CA196A48B607DAA595D">Generate Root CA and Subordinate CAs on the PAN and PSN</A></P></BODY></HTML> Fri, 01 Sep 2017 21:41:10 GMT https://community.cisco.com/t5/network-access-control/why-is-the-pan-ca-is-not-there/m-p/3457251#M527083 hslai 2017-09-01T21:41:10Z