inline posture node register on a primary node error

abdoulayeouattara · ‎09-05-2012

ISE inline posture node register on a primary node error

Hi Tarik,

I generate new certifates after deletion of the former ones. I bind CA certificate, I still have the same message "

An error occurred while registering node

ise-name-java.io.IOException:Server returned HTTP

response code:401 for URL:

https://ise-name/deployment-rpc/persona

".

Can I have an another way to fix this issue?

Tarik Admani · ‎09-05-2012

How are you trying to perform the registration, are you sourcing the registration request from the primary ISE server? Do you have dns enabled and are you using the fqdn to join the inline node? Keep in mind that when registering a node you have source the request from the primary node. If you are using fqdn please make sure that dns is resolving the correct hostname.

Also can you post a screenshot of the certificates' detail page for the inline and the primary node?

thanks,

Tarik Admani
*Please rate helpful posts*

abdoulayeouattara · ‎09-05-2012

I generate certificate by the same process for both secondary node and inline posture node.

The registration of the secondary node to the primary completes successfully.

Tarik Admani · ‎09-05-2012

You are correct, however the inline posture node requires a different template. It requires that the EKU to be set for client authentication and server authentication.

Here is some reference material regarding the certificate:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp248769

Basically you need to issue the inline node a compute certificate and not a web server certificate:

Thanks,

Tarik Admani
*Please rate helpful posts*

sdeeks · ‎09-06-2012

I'm seeing the same issue when trying to register an inline node. The windows AD CA won't let me generate a Computer (Machine) certificate for the ipep node, as although it's correctly in DNS, it's not known to AD.

The node will register with the admin node, with the above error, but then can't be reached via the edit tab, then has to be de-registered to try again.

I've also tried generating a certificate using a domain controller authentication template, which provides EKU for client & server, and allows the subject name to be supplied in the request (necessary as the ipep is unknown to AD), but still see the same error as above.

I'm really stuck now.

Tarik Admani · ‎09-06-2012

Simon,

Do you have the error message? Have you tried cloning the computer certificate template and then seeing if that will allow you to sign the CSR from the inline node?

Thanks,

Tarik Admani
*Please rate helpful posts*

sdeeks · ‎09-06-2012

Here's the error message.

I also tried copying and editing the computer template, to allow me to tick the subject name supplied in request box, but the CA threw and error saying certificate type not supported. Is that what you meant by cloning/signing above ?

abdoulayeouattara · ‎09-06-2012

that is the same message I got above.

Tarik Admani · ‎09-06-2012

I was referring to the error on the CA.

Tarik Admani
*Please rate helpful posts*

abdoulayeouattara · ‎09-27-2012

Hi Tarik,

My probleme still pending. What's news?

Tarik Admani · ‎09-27-2012

Were you able to verify the eku for the certs? Make sure they are set to client authentication and server authentication.

Tarik Admani
*Please rate helpful posts*

sdeeks · ‎09-27-2012

I still have same problem. It seems to be around our CA and generating an appropriate certificate. I've been sent to Singapore to sort a more urgent problem, so haven't been able to get a screenshot of our CA error message. As soon as I can I'll do that and post. I also can't catch up with our Wintel CA expert to ask him to assist.

Tarik Admani · ‎09-27-2012

Hi,

My customer went through geotrust and everything went well.

Thanks

Sent from Cisco Technical Support Android App