01-22-2024 12:43 PM
Recently applied certs to two different ISE deployments. One is showing the admin portal as secure the other deployment is showing as invalid. Two different certs for two different nodes from the same CA but only is working correctly. Both devices have the entire cert chain imported in their trusted certs, successful bound the certs to their respective CSR. Where can I start troubleshooting why one is working and the other isn't.
01-22-2024 12:45 PM
Both standalone? Or distributed and one is PAN and other is PSN?
MHM
01-22-2024 12:54 PM
Both are standalone at different sites.
01-22-2024 01:50 PM
Hi Jeremy, did you check if the node that is not showing the correct cert has actually the right cert tied to its admin portal? I would check this from both ISE and the client. If you see the right cert presented from your browser, I would try to download it to the client and see if the chain shows correctly. Also, I would check the CN and the SAN values on that cert, there might be a typo or a missing value that is causing your browser not to trust that cert.
01-22-2024 02:21 PM
can it bug ?
same ISE patch and same CA, I think it bug
MHM
01-22-2024 02:45 PM
Could be, but it could also be that something happens when the CSR was created or maybe the cert wasn't tied to the admin portal on that node.
01-23-2024 06:04 AM
I pulled the cert and its showing the correct subject. The only difference between the non-working and working one is that the SAN on the non-working one has just the DNS and the working one has the IP and DNS. Both are running 3.1 and patch 8. I'm going to assume that the issue is the missing IP address.
01-23-2024 06:08 AM
Check it and update us
Thanks alot
MHM
01-23-2024 06:31 AM
If you try to connect to the node using the IP address in the browser, then yes, you need to have the IP added to the SAN values, however, if you are using the FQDN that is matching the one you have on the cert it should work without having to add the IP. I would still double check and make sure that that cert is associated to the admin portal in ISE.
01-23-2024 06:39 AM
indeed as @Aref Alsouqi mention if this Cert is for Portal, or EAP the I think you need SAN
but for CA cert. !!
anyway check it and update us
thanks again
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide