https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4724100#M578363 <P>Turns out 1/3 DNS servers had a second, old POR for the node in question that was responding first, despite rx'ing the correct response from nslookup in the node. Had to go into the DNS server and delete the old POR. Cert error message resolved right after that.&nbsp;</P> Fri, 18 Nov 2022 18:59:50 GMT jdmaybe 2022-11-18T18:59:50Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4722612#M578294 <P>After a storage failure, had to recreate a new ISE instance. Upon rebuilding and relicensing, attempting to re-register the node into the distributed deployment (after confirming most up to date version and patch across sites), getting the following error,</P><P>&nbsp;</P><P>"Unable to authenticate ISE (FQDN) Please check certificate configuration.&nbsp;</P><P>Make sure from 'Primary Admin Node' system certificate chain of registering node is present in 'Trusted certificates' and 'Trust for authentication with ISE' Option selected."</P><P>After doing both of those things, (using self-signed) and manually importing the appropriate certificates to each node, still receiving the same error.&nbsp;</P><P>&nbsp;</P><P>Thanks in advance</P><P>&nbsp;</P> Wed, 16 Nov 2022 17:31:57 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4722612#M578294 jdmaybe 2022-11-16T17:31:57Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723216#M578306 <P>&nbsp;</P> <P>&nbsp;- FYI :&nbsp;<A href="https://community.cisco.com/t5/network-access-control/ise-unable-to-register-a-node/td-p/2673444" target="_blank">https://community.cisco.com/t5/network-access-control/ise-unable-to-register-a-node/td-p/2673444</A></P> <P>M.</P> Thu, 17 Nov 2022 13:33:37 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723216#M578306 Mark Elsen 2022-11-17T13:33:37Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723315#M578311 <P>DNS resolves both ways and both nodes have the corresponding cert from the other as well.&nbsp;</P> Thu, 17 Nov 2022 16:54:51 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723315#M578311 jdmaybe 2022-11-17T16:54:51Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723330#M578312 <P>&nbsp;</P> <P>&nbsp;- When trying to register, on both the 'client' node and the <STRONG>Primary Node</STRONG> issue :&nbsp;<SPAN><STRONG>show logging system ade/ADE.log&nbsp;</STRONG> , check if any additional info's can be found (<EM>use the command on<U> both nodes</U></EM>)</SPAN></P> <P><SPAN>&nbsp;M.</SPAN></P> Thu, 17 Nov 2022 17:15:00 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723330#M578312 Mark Elsen 2022-11-17T17:15:00Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723417#M578320 <P>Nothing there, nor anything relevant in system general log for either node 30 min prior or after attempted registration</P> Thu, 17 Nov 2022 19:49:29 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723417#M578320 jdmaybe 2022-11-17T19:49:29Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723423#M578322 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1433906">@jdmaybe</a>,</P> <P>You've double confirmed that your self-signed certificate indeed contains FQDN of ISE server? On both PAN and newly installed node? And you have both forward and reverse DNS records, for both servers?</P> <P>You are also using FQDN for registration, not IP address?</P> <P>Kind regards,</P> <P>Milos</P> Thu, 17 Nov 2022 20:06:02 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723423#M578322 Milos_Jovanovic 2022-11-17T20:06:02Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723433#M578325 <P>I always add the FQDN as a SAN DNS and the IP Address as a SAN IP, on top of having the FQDN as the common name. Some browsers require it in the SAN DNS field.&nbsp;&nbsp;</P><P>Also, can you verify it from a linux server?&nbsp; For example, on my linux server I use an openssl call to see the certificate chain, separate from my Windows machine:<BR /><BR />openssl s_client ise.yourdomain.com:443<BR /><BR />Then, I check the first few results:<BR /><BR />depth=2 CN =&nbsp;YOURROOT<BR />verify return:1<BR />depth=1 DC = com, DC = yourdomain, CN = YOURISSUER<BR />verify return:1<BR />depth=0 C = US, ST = NY, L = City, O = Your Company, Inc, OU = SOMEOU, CN = ise.yourdomain.com<BR />verify return:1<BR />CONNECTED(00000003)<BR />---<BR />Certificate chain<BR /><BR />0 s:C = US, ST = NY, L = City, O = Your Company, Inc, OU = SOMEOU, CN = ise.yourdomain.com<BR />i:DC = com, DC = yourdomain, CN = YOURISSUER<BR />1 s:DC = com, DC = yourdomain, CN = YOURISSUER<BR />i:CN = YOURROOT<BR />2 s:CN = YOURROOT<BR />i:CN = YOURROOT<BR /><BR />There is a lot more after that, but the first few lines show the installed chain, no worrying about IE, Edge, Mozilla or Chrome configs.&nbsp; If I find it looks good with the openssl check, then the rest is just some browser crap and the Admin GUI was correct.<BR /><BR />Regards,<BR />David</P> Thu, 17 Nov 2022 20:23:55 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723433#M578325 davidgfriedman 2022-11-17T20:23:55Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723442#M578327 <P>Thanks Milos, yes to both. Multiple folks have confirmed certs are good. Also have a third node in the deployment to match against that is working.&nbsp;</P> Thu, 17 Nov 2022 20:39:03 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723442#M578327 jdmaybe 2022-11-17T20:39:03Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723814#M578341 <P>&nbsp;</P> <P>&nbsp;- Make sure that the involved FQDN(s) also have correct PTR-records,&nbsp;</P> <P>&nbsp;M.</P> Fri, 18 Nov 2022 13:29:48 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4723814#M578341 Mark Elsen 2022-11-18T13:29:48Z https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4724100#M578363 <P>Turns out 1/3 DNS servers had a second, old POR for the node in question that was responding first, despite rx'ing the correct response from nslookup in the node. Had to go into the DNS server and delete the old POR. Cert error message resolved right after that.&nbsp;</P> Fri, 18 Nov 2022 18:59:50 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-deployment-not-authenticating-with-primary-node/m-p/4724100#M578363 jdmaybe 2022-11-18T18:59:50Z