Hi Mohamed,

thanks for your quick reply. My Internal CA setting look a bit different. But you have a different setup, you have Policy Service Persona enabled as well on the PAN.

But I think I should have the Certificate Authority Service enabled at at least on PAN, I remember the EST service was running as well on the PAN.

Very strange, 

here a screenshot of my PAN cli.

pan2/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 4841
Database Server running 68 PROCESSES
Application Server running 9740
Profiler Database running 6220
ISE Indexing Engine running 11000
AD Connector running 12447
M&T Session Database running 4309
M&T Log Collector running 9864
M&T Log Processor running 14047
Certificate Authority Service disabled
EST Service disabled

Hi Alex

I do understand that I have different setup with different ISE version (1.4 vs 2.2) but the basic ISE design remains the same.

Basically you would need this Certificate Authority Service for some ISE services like:

Bring Your Own Device (BYOD) / Network Service Protocol (NSP)
- Redirection
- Provisioning
- SCEP 

and those are handled by the ISE nodes with the PSN personas, So practically I don't think you need this services enabled for the Primary (Admin + Mnt) or the Secondary (Admin + Mnt)

In m case I need this services running on the PAN as it is also a PSN node servicing Clients.

Edit: the PAN is acting as the Root CA. So The PAN has a Root CA certificate and a Node CA certificate that is signed by the Root CA. and Any Policy Service Node (PSN) that you register with the PAN is provisioned an Endpoint CA and an OCSP certificate signed by the Node CA of the PAN.

The Policy Service Nodes (PSNs) are subordinate CAs to the PAN. When you use the ISE CA, the Endpoint CA on the PSN issues the certificates to the endpoints that access your network.

So I think yes the Certificate Authority Service  need to be enabled on the PAN and secondary PAN as well, for BOYD fow to function properly, In ISE 1.4 these Certificates hierarchy is inside Trusted Certificates.

In Cisco Identity Services Engine Administrator Guide, Release 2.2 it says "When you upgrade from earlier releases to Release 2.0 or later, we recommend that you regenerate the ISE CA chain to move from the two root hierarchy to a single root hierarchy."

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html

To be fair, This is interesting thing to know, if this would work if this service is disabled for the PAN so you can tested (if applicable) before turning it on for the PAN and if the BOYD flow is broken then yes it is needed and maybe the upgrade broke something.

Hello Mohamed,

I opened a TAC case for this issue. My problem was, i didn't use unique firendly names for my certs. So there was a conflict, which disabled the Certifaction Authority Service on my PAN nodes. 

Also for a one with a case "Certificate Authority Service disabled on a PAN" it's worth to mention that for the Certificate Authority Service to be enabled on the PAN in the ISE 2.2, PAN for some reason must be enabled with a Policy Services role, otherwise Certificate Authority Service will stay disabled.

Reason for that is both unobvious and undocumented, but it's a fact.