topic Re: ISE and Tenable Integration in Network Access Control

ISE and Tenable Integration

eric-stewart-13-ctr — Wed, 08 May 2024 14:06:30 GMT

I am having an issue with Cisco ISE and TenableSC integration. In Cisco documentation it reads that i need to upload the system and root certificates from TenableSC. By using:

sudo scp /opt/sc/support/conf/TenableCA.crt [username]@[your ip address]:TenableCA.crt

sudo scp /opt/sc/support/conf/SecurityCenter.crt [username]@[your ip address]:SecurityCenter.crt

My questions are: Do I have to upload any Cisco ISE certificates into Tenable? What happens is the TenableCA certificate is expired? Is there a way to regenerate it? Are both needed?

I am setting up the Tenable adapter in the TC-NAC section and am getting this error code:

"Error connecting to Tenable Security Center, Error establishing https connection: Received fatal alert: handshake_failure"

I am also getting an error when uploading the Root CA certificate from Tenable:

"This trust certificate does not contain basicConstraint extension set to CA."

Any help or guidance is greatly appreciated.

Re: ISE and Tenable Integration

Arne Bier — Thu, 09 May 2024 05:44:13 GMT

I have never setup such an integration, but in any case, ISE is correct: if a certificate claims to be the "Root CA" then it must have the basicConstraint extension set to CA. Perhaps the cert you're trying to import into ISE is not the Tenable Root CA, but rather, the Tenable system certificate (i.e. the cert with which tenable identifies itself). You must not install any non-CA certs into the ISE Trust Center - instead, you must find out which CA (or CA chain) is involved in creating/signing the Tenable System cert, and then install that in ISE.

As for the question of whether to install ISE cert in tenable, it depends what kind of a connection is used - who initiates the connection? Is it ISE or Tenable? In most web-based systems, it's always the client who needs to check whether it trusts the server (and not the other way around) - the trust can be computed by having the CA (chain) installed in your trust store of the server you're attempting to connect to.

Re: ISE and Tenable Integration

eric-stewart-13-ctr — Mon, 10 Jun 2024 17:10:06 GMT

Anyone else having issues with the Tenable adapter showing "Unknown/Unreachable"? The status did show "Disconnected/Active" at one point so im not sure how it took a step back. I can not find ANY documentation on troubleshooting this.

Re: ISE and Tenable Integration

eric-stewart-13-ctr — Thu, 01 Aug 2024 16:39:23 GMT

Anyone see this issue yet with a Tenable.SC and Cisco ISE integration. Tenble.SC version: 6.3. Cisco ISE 3.1 P8

2024-08-01 16:31:30.063
<adapter>
90d0b7e3-9884-483e-b35f-63506e513ecd
Tenable Security Center
VA Failure
ehuisepsn02
<MAC>
<IP>
Scan failed: Error in connecting to host: 403 Forbidden
2024-08-01 16:29:01.029
<adapter>
90d0b7e3-9884-483e-b35f-63506e513ecd
Tenable Security Center
VA request submitted to adapter
ehuisepsn02
<MAC>
<IP>
VA request submitted to adapter for processing

Re: ISE and Tenable Integration

eric-stewart-13-ctr — Tue, 20 Aug 2024 16:35:00 GMT

For anyone looking this up in the future, I was able to solve this by changing the SCAN_DEFAULT_SCAN_TIMEOUT parameter value (under /opt/sc/src/) to 43200 on Tenable.

This information is in the Admin guide but it was easily missed.