topic Did you install the server in Network Access Control

ISE- unable to register a node

avinash2092 — Mon, 11 Mar 2019 05:47:11 GMT

Hi all,

We are trying to integrate a new ISE node as a PSN to our current setup. When we try to register we are getting below error messages. Does anyone has faced same issue. Also need clarity on these error messages.

When trying to register with IP address we are getting error message as below:

Unable to authenticate ISE secondary_ise_name. Please check server and CA certificate configuration and try again .

When trying to register with FQDN we are getting error message as below :

FQDN 'XYZ.local.com' which cannot be resolved. Please check your DNS configuration.

So need clarity whether this is a DNS or Certificate issue.

Regards,

Avinash

Did you install the server

jrabinow — Sun, 07 Jun 2015 21:16:49 GMT

Did you install the server certificate of the seconday in the trust certificate list of the primary

I think this is required to enable the communications

We are adding this as a pure

avinash2092 — Mon, 08 Jun 2015 06:20:09 GMT

We are adding this as a pure PSN node. Its certificate has been added in certificate store in primary admin node

Hi,Please make sure that your

krishnangangster — Mon, 08 Jun 2015 07:38:36 GMT

Hi,

Please make sure that your FQDN is resolvable by your ISE.

For that you need to add entry for DNS in your Server.

make sure you have secondary

Venkatesh Attuluri — Thu, 11 Jun 2015 09:01:28 GMT

make sure you have secondary PSN certificate in primary PSN and secondary PSN dns should be resolvable . if still issue check "ise-psc.log" can give you insight

Depending on what version of

ajc — Thu, 11 Jun 2015 21:24:09 GMT

Depending on what version of ISE you are running the new PSN MUST have a certificate signed by the same CA Server like the Primary PAN Node.

On Version 1.2 and above, the Primary PAN validates the certificate presented by the new PSN so it can join to the current deployment. In addition to that you MUST have in the DNS an entry for the FQDN of the new PSN. In the previous 1.1.3 version you could include a new PSN only with the IP but this option is NO more available. The Primary PAN Node requests the IP of the new PSN Node from DNS based on the FQDN provided during the join process.

Hoping this helps.

When you add the PSN server

alberx — Tue, 18 Aug 2015 07:28:34 GMT

When you add the PSN server certificate to the trust store in primary, did you tick the "trust for ISE registration"?

Hi Alberx, Based on my

ajc — Tue, 18 Aug 2015 19:45:02 GMT

Hi Alberx,

Based on my understanding, you do not need to add the PSN's certificates into the PAN Primary ISE trust store at least on version 1.2.1.198. You only have to install the certificate in the corresponding PSN, that certificate could be a SAN Certificate that includes all the FQDN Names of the ISE nodes in your deployment (actually I am using only 1 common certificate for all my deployment - 12 ISE's) but that certificate must be signed for the same CA Server like Primary PAN Cert.

Regarding the "trust for ISE Registration", I would say YES to tick it because when you are building the deployment, the certificate presented by each PSN or MNT Node to be integrated with the Prim PAN Node is used so PAN Node can check if the CA Server who signed the MNT/PSN cert is a valid one during the registration process.

Hoping this helps.