09-05-2012 09:45 AM - edited 03-10-2019 07:30 PM
ISE inline posture node register on a primary node error
Hi Tarik,
I generate new certifates after deletion of the former ones. I bind CA certificate, I still have the same message "
An error occurred while registering node
ise-name-java.io.IOException:Server returned HTTP
response code:401 for URL:
https://ise-name/deployment-rpc/persona
".
Can I have an another way to fix this issue?
09-05-2012 10:04 AM
How are you trying to perform the registration, are you sourcing the registration request from the primary ISE server? Do you have dns enabled and are you using the fqdn to join the inline node? Keep in mind that when registering a node you have source the request from the primary node. If you are using fqdn please make sure that dns is resolving the correct hostname.
Also can you post a screenshot of the certificates' detail page for the inline and the primary node?
thanks,
Tarik Admani
*Please rate helpful posts*
09-05-2012 02:53 PM
I generate certificate by the same process for both secondary node and inline posture node.
The registration of the secondary node to the primary completes successfully.
09-05-2012 04:05 PM
You are correct, however the inline posture node requires a different template. It requires that the EKU to be set for client authentication and server authentication.
Here is some reference material regarding the certificate:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp248769
Basically you need to issue the inline node a compute certificate and not a web server certificate:
Thanks,
Tarik Admani
*Please rate helpful posts*
09-06-2012 04:07 AM
I'm seeing the same issue when trying to register an inline node. The windows AD CA won't let me generate a Computer (Machine) certificate for the ipep node, as although it's correctly in DNS, it's not known to AD.
The node will register with the admin node, with the above error, but then can't be reached via the edit tab, then has to be de-registered to try again.
I've also tried generating a certificate using a domain controller authentication template, which provides EKU for client & server, and allows the subject name to be supplied in the request (necessary as the ipep is unknown to AD), but still see the same error as above.
I'm really stuck now.
09-06-2012 06:48 AM
Simon,
Do you have the error message? Have you tried cloning the computer certificate template and then seeing if that will allow you to sign the CSR from the inline node?
Thanks,
Tarik Admani
*Please rate helpful posts*
09-06-2012 07:07 AM
Here's the error message.
I also tried copying and editing the computer template, to allow me to tick the subject name supplied in request box, but the CA threw and error saying certificate type not supported. Is that what you meant by cloning/signing above ?
09-06-2012 11:12 AM
that is the same message I got above.
09-06-2012 01:12 PM
I was referring to the error on the CA.
Tarik Admani
*Please rate helpful posts*
09-27-2012 09:05 AM
Hi Tarik,
My probleme still pending. What's news?
09-27-2012 09:12 AM
Were you able to verify the eku for the certs? Make sure they are set to client authentication and server authentication.
Tarik Admani
*Please rate helpful posts*
09-27-2012 07:42 PM
I still have same problem. It seems to be around our CA and generating an appropriate certificate. I've been sent to Singapore to sort a more urgent problem, so haven't been able to get a screenshot of our CA error message. As soon as I can I'll do that and post. I also can't catch up with our Wintel CA expert to ask him to assist.
09-27-2012 07:51 PM
Hi,
My customer went through geotrust and everything went well.
Thanks
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide