topic Re: ISE Nodes Sync & Anyconnect Authentication Issue in Network Access Control

ISE Nodes Sync & Anyconnect Authentication Issue

Dkiptoo — Fri, 10 Jan 2025 06:41:05 GMT

Hello, am still new to the ISE AAA. I have 2 Ise nodes which are deployed in HA. Recently I had an issue with expired certs. Some self signed and others CA-signed by a local CA. EAP, Portal and Admin uses one Cert issued by CA. While renewing the EAP, Portal and Admin cert, I included ISE Messaging Cert on the PAN and later realized that It is stand alone self signed Cert on the Secondary meaning there is an inconsistency, which I believe is the reason the two nodes are not in sync as shown on the image below. I reverted it back to EAP, Portal and Admin, and imported the self signed ISE Messaging Cert from the Secondary Node to PAN hoping they will now sync but since they are still node in sync. What could be the other reason? What steps should I take to ensure they are in Sync.

Secondly, still on the issues with expired certs, DTLS cert is expired and also had issues with Anyconnect remote access. ISE is integrated to authenticate remote user via AD. Currently am able to input credentials by MFA is not able to reach my device as it times out, which I believe could be related to the DTLS cert which enables ISE communication with NAD (FMC/FTD). I renewed the cert but still the problem persist. Any input towards troubleshooting is greatly appreciated.

Re: ISE Nodes Sync & Anyconnect Authentication Issue

Rob Ingram — Fri, 10 Jan 2025 08:25:33 GMT

@Dkiptoo ISE uses the admin certificate for secure communication, so both ISE nodes must trust each others admin certificate. Do both ISE nodes have an admin certificate issued by the same CA? I assume the ISE services were restarted on both nodes?. If the secondary node is still out of sync, click the "Syncup" button and wait a while.

ISE and FMC won't be using DTLS to communicate, that is used for RADSec on the switches. Please provide more information in regard to this issue.

Re: ISE Nodes Sync & Anyconnect Authentication Issue

Dkiptoo — Mon, 13 Jan 2025 06:17:04 GMT

Hi Rob, actually I have been facing a problem renewing the EAP, Portal and Admin for Node2, I did very well with node one but when trying to generate CSR for node 2, i get the error attached

For VPN, am facing connectivity problem. Authentication is integrated with DUO MFA. I am able to enter credentials at the AnyConnect client but am not able to get DUO push on the phone. The sessions times out. It was working well before.

Re: ISE Nodes Sync & Anyconnect Authentication Issue

Marcelo Morais — Thu, 16 Jan 2025 03:46:32 GMT

Hi @Dkiptoo ,

1st, at Administration > System > Deployment > put your mouse on the Node Status icon to check the error:

2nd, at Administration > System > Certificate Management > System Certificates, compare your Nodes Certificate, looking for any missing Certificate (for example).

Hope this helps !!!