abdul

abdoulayeouattara · ‎09-02-2012

Bonjour,

I deploy an ise primary node and about to declare the secondary node and inline posture node to the primary. when doing so I obtain this message "Unable to authenticate ISE secondary_ise_name. Please check server and CA certificate configuration and try again". I export the local cert and CA from the primary and tried to import it to both. Its not work, here is the message "

Certificate does not have required key usage (it is a CA certificate and key usage bits for keyEncipherment or keyAgreement are missing)"

I need help.

thanks in advance

Tarik Admani · ‎09-02-2012

Do you have signed certificates installed on these devices or are these self signed? If you are trying to join an inline node the inline node will need a cert that has the Key Usage for client authentication. Here is the documentation that may be useful to you.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp248769

Certificates must have extended key usage for both client authentication and server authentication. For an example of this type of extended key usage, see the Microsoft CA Computer template.

Thanks,

Tarik Admani
*Please rate helpful posts*

Justin Kurynny · ‎09-05-2012

Abdul,

Tarik's link is helpful. This will also explain your three options for estabilishing certificate trust between the ISE nodes, which MUST happen before you register another node to the primary node.

If you are using the default built-in self-signed certs, just export your cert from your ISE secondary and import it into your ISE primary. After that, try registering your secondary ISE again. You should find that you do not get this error.

Happened to me today and after I imported the secondary's cert into the primary, the issue resolved.

Justin