Re: IND/ISE pxGrid Integration

orp · ‎04-30-2018

Hi, I'm trying to enable pxGrid integration between IND (Industrial Network Director) and ISE.

I follow the exact instructions as given in:

https://www.cisco.com/c/dam/en/us/td/docs/switches/ind/install/IND_PxGrid_Registration_Guide_Final.pdf

and still when I try to load the server's certificate I get the following error:

"Failed to Register [INDServer] on pxGrid Server [medigate-ise.medigate.io] - Server certificate is not trusted".

Is there anything I should be specifically aware of? Thanks

hslai · ‎04-30-2018

Please clarify which step giving you that error.

In Step 1 of creating certificate for IND import, the document is not quite correct as the certificate should be issued to IND so that the subject alternative name should have the FQDN of IND and, as an alternative, the IP address of IND.

In Step 15 of selecting the certificate, the zip file downloaded from ISE should be extracted so that we import the .p12 file.

Also, please ensure ISE and IND able to resolve each other by their DNS names.

stenneti · ‎04-30-2018

Hi,

I have similar problem. The error is coming at Step 16. I have followed all the instructions. In Step1, I gave the FQDN of the IND certificate. My DNS server is resolving both IND and ISE hostnames correctly. I am attaching the error message.

Thanks,

Srinivas

hslai · ‎04-30-2018

Please check and ensure ISE pxGrid is using the one signed by its internal CA.

Craig Hyps · ‎04-30-2018

To add to Hsing's comments...

Initial cert created in ISE is for use by IND to register with ISE and be trusted.

The cert downloaded from IND and imported to ISE trust store allows trust for bulk download.

When setup initial cert for IND, I would recommend use the FQDN for both CN and SAN. Make sure the FQDN is resolvable to DNS in ISE as this will be used by ISE for communications to IND. When register to ISE from IND, the "Server" name value is the ISE pxGrid node. IND only supports a single pxGrid node today (no HA to another active pxGrid node). The "Node Name" field is the name of IND node and value seen in ISE pxGrid config as the pending or registered publisher. The cert and password correspond to the ISE-generated cert and used to unlock the public/private key pair to establish trust.

/Craig

stenneti · ‎05-01-2018

Thanks Hsing/Craig,

I have followed all the steps.

1) Ensure that pxGRID is using certificate issued by subCA.

2) DNS names are resolvable

3)Use the right FQDN.

Ater all the above, IDN is able to register to ISE. I went to ISE and approved the request. However, the IND(pxGRID) client is still in offline state.

Craig Hyps · ‎05-01-2018

I think it is ok that shows offline initially. Once you enable pxGrid Probe and have something to register to, then expect will show online.

stenneti · ‎05-01-2018

Hi,

I have deleted endpoints in IND and re-scanned it, the devices comeback to IND data base, but ISE still does not get them. Second, the webclients is showing empty.

hslai · ‎05-02-2018

This does not seem right, as the Web Clients should have show the entries from the ISE deployment itself, even when external clients not registered. If your setup still has this problem, please contact me directly.

orp · ‎05-01-2018

I managed to solve the issue by exporting the server certificate from the "System Certificates" tab. I then imported the resultant .pem file to IND and it just worked. I verified that the IND server is indeed registered to the pxGrid, though I've yet to actually see it update anything. I'd say that the certificate issue is done though.

Craig Hyps · ‎05-01-2018

When certificate originally generated from ISE under pxGrid Services > Certificates, in the field Certificate Download Format, you need to make sure select option "PKCS12 format (including certificate chain..." This certificate is then imported into IND. Therefore, should not have had to separately import certs as had the whole chain.

hslai · ‎05-02-2018

Adding to Craig's...

Please check profiler.log file and see whether it finds IND. For example,

ise-1/admin# show logging app profiler.log | inc INDSubscriber

2018-03-04 16:14:06,867 INFO [ProfilerPxgridConsumer-56-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- Starting Poller to search for new publishers

2018-03-04 16:14:06,868 DEBUG [ProfilerINDSubscriberPoller-57-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- Looking for new publishers ...

--

2018-03-04 16:14:07,091 DEBUG [ProfilerINDSubscriberPoller-57-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- Existing services are: []

2018-03-04 16:14:07,091 INFO [ProfilerINDSubscriberPoller-57-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- New services are: [Service [name=com.cisco.endpoint.asset, nodeName=pxgrid-ind, properties={wsPubsubService=com.cisco.ise.pubsub, restBaseUrl=https://ind:8910/pxgrid/ind/asset/, assetTopic=/topic/com.cisco.endpoint.asset}]]

2018-03-04 16:14:07,282 INFO [ProfilerINDSubscriberPoller-57-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- NODENAME:pxgrid-ind

2018-03-04 16:14:07,286 INFO [ProfilerINDSubscriberPoller-57-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- REQUEST BODY{"offset":"0","limit":"500"}

2018-03-04 16:14:12,384 INFO [ProfilerINDSubscriberPoller-57-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- Response status={}200

2018-03-04 16:14:12,385 INFO [ProfilerINDSubscriberPoller-57-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- Content: "OUT_OF_SYNC"

2018-03-04 16:14:12,385 INFO [ProfilerINDSubscriberPoller-57-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- Status is :"OUT_OF_SYNC"

2018-03-04 16:14:12,385 DEBUG [ProfilerINDSubscriberPoller-57-thread-1][] cisco.profiler.infrastructure.probemgr.INDSubscriber -::- Static set after adding new services: [Service [name=com.cisco.endpoint.asset, nodeName=pxgrid-ind, properties={wsPubsubService=com.cisco.ise.pubsub, restBaseUrl=https://ind:8910/pxgrid/ind/asset/, assetTopic=/topic/com.cisco.endpoint.asset}]]

...

If that does not help, please consider engage Cisco TAC.