https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4660372#M576418 <P>Hello&nbsp;<A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/635699" target="_blank"><FONT>@haroungh</FONT></A><FONT><SPAN>&nbsp; Were you able to solve the problem for the integration? I have&nbsp;&nbsp;the same error message</SPAN></FONT></P> Fri, 29 Jul 2022 15:00:11 GMT Carces 2022-07-29T15:00:11Z https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4494023#M570731 <P>&nbsp;Hi Dears,</P><P>i am doing ise-pic lab and i got the follwing error when i&nbsp; have tried to enable pxgrid service in admin cert, admin cert&nbsp; is signed by CA</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pxgrid-service.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/135956i87BF346BDD4ED830/image-size/large?v=v2&amp;px=999" role="button" title="pxgrid-service.png" alt="pxgrid-service.png" /></span></P> Thu, 28 Oct 2021 07:43:23 GMT https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4494023#M570731 GHOZLANE Haroun 2021-10-28T07:43:23Z https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4494081#M570732 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/635699">@GHOZLANE Haroun</a> you cannot simply bind any certificate to the pxgrid service, the certificate in use must have a certificate <STRONG>with both server and client extended key usages (EKU’s)</STRONG>. The admin certificate does not have both of these EKUs, so you will need to create a certificate specifically used for pxgrid. More information:</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/how-to-deploying-certificates-with-pxgrid-ca-signed-ise-pxgrid/ta-p/3626277" target="_blank" rel="noopener">https://community.cisco.com/t5/security-documents/how-to-deploying-certificates-with-pxgrid-ca-signed-ise-pxgrid/ta-p/3626277</A></P> <P><A href="https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/" target="_blank" rel="noopener">https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/</A></P> <P><A href="https://www.ciscolive.com/global/on-demand-library.html?search=ise&amp;search.event=ciscolive2021&amp;search.event=ciscoliveus2020&amp;search=ise#/session/1573153556309001Jgr6" target="_blank">https://www.ciscolive.com/global/on-demand-library.html?search=ise&amp;search.event=ciscolive2021&amp;search.event=ciscoliveus2020&amp;search=ise#/session/1573153556309001Jgr6</A></P> <P>&nbsp;</P> Thu, 28 Oct 2021 09:30:52 GMT https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4494081#M570732 Rob Ingram 2021-10-28T09:30:52Z https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4494142#M570740 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;,</P><P>thanks in advance for your support,&nbsp;</P><P><SPAN>&nbsp;actually i am using&nbsp;</SPAN>&nbsp;ise-pic as CA server and i have generated fmc identity certificate and key after that i have uploaded the ise ISE CA, sub, to trust certs and uploaded as well fmc identity cert with key to internal cert.</P><P>when i&nbsp; have tried to joing tmc&nbsp; to ise and&nbsp; it is failed again, take a look bellow</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE-test failed.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/135966iEE10A2D6AA5F4375/image-size/large?v=v2&amp;px=999" role="button" title="ISE-test failed.PNG" alt="ISE-test failed.PNG" /></span></P><P>&nbsp;</P><P>Primary host:<BR />[INFO]: PXGrid v2 is enabled<BR />[ERROR]: Failed to contact pxGrid node at '192.168.0.250': Server returned 401: Unauthorized</P><P><BR />Secondary host:<BR />[INFO]: PXGrid v2 is enabled<BR />[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed<BR />[ERROR]: HttpsStringRequest SSL error: 2021-10-28 11:35:03(GMT): Starting SSL Handshake, SSL state:before SSL initialization<BR />2021-10-28 11:35:03(GMT): SSL State:before SSL initialization<BR />2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello<BR />2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello<BR />2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello<BR />2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello<BR />2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello<BR />2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello<BR />2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello<BR />2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS read server hello<BR />2021-10-28 11:35:03(GMT): Entering OpenSSL verify callback, preverified:0, error: self signed certificate in certificate chain, error depth: 3, current_cert: Certificate with Serial Number '0x29DC468856CB4C4CA097BA9FC8CE50AF', issued by 'CN = Certificate Services Root CA - ise-pic-01', to 'CN = Certificate Services Root CA - ise-pic-01'<BR />2021-10-28 11:35:03(GMT): Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x0CC3C225409C4914ACCFF91E18550D9A', issued by 'CN = Certificate Services Endpoint Sub CA - ise-pic-02', to 'OU = Certificate Services System Certificate, CN = ise-pic-02.cisco.corp'<BR />...because SSL negotiation encountered error: self signed certificate in certificate chain<BR />...while validating this entry in the certificate chain: Certificate with Serial Number '0x29DC468856CB4C4CA097BA9FC8CE50AF', issued by 'CN = Certificate Services Root CA - ise-pic-01', to 'CN = Certificate Services Root CA - ise-pic-01'<BR />2021-10-28 11:35:03(GMT): Sending SSL alert:unknown CA<BR />2021-10-28 11:35:03(GMT): SSL State:error<BR />[ERROR]: Failed to contact pxGrid node at '192.168.0.251': Handshake error to 192.168.0.251:8910</P><P>&nbsp;</P> Thu, 28 Oct 2021 11:42:45 GMT https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4494142#M570740 GHOZLANE Haroun 2021-10-28T11:42:45Z https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4660372#M576418 <P>Hello&nbsp;<A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/635699" target="_blank"><FONT>@haroungh</FONT></A><FONT><SPAN>&nbsp; Were you able to solve the problem for the integration? I have&nbsp;&nbsp;the same error message</SPAN></FONT></P> Fri, 29 Jul 2022 15:00:11 GMT https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4660372#M576418 Carces 2022-07-29T15:00:11Z https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4965138#M585370 <P>Anyone have a solution for @haroungh problem. I am getting the same error that is shown above on the secondary host:</P><P>[INFO]: PXGrid v2 is enabled<BR />[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed<BR />[ERROR]: HttpsStringRequest SSL error: 2021-10-28 11:35:03(GMT): Starting SSL Handshake, SSL state:before SSL initialization</P> Thu, 23 Nov 2023 16:51:07 GMT https://community.cisco.com/t5/network-access-control/ise-pic-integration-with-ad-fmc/m-p/4965138#M585370 mbargers 2023-11-23T16:51:07Z