Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7003
Views
10
Helpful
5
Replies

ISE 2.2 Certificate Authority Service disabled on both PAN after upgrade

alex.dersch
Level 4
Level 4

‎05-07-2017 11:56 AM - edited ‎03-11-2019 12:42 AM

Hello, 

after upgrading ISE 2.1 to 2.2 I have noticed that on both PAN nodes the Certifcate Authority Service is disabled. I'm not sure, but I believe it was running on one node prior the upgrade.

Does anybody know if this is expected our should at least on one of the PAN the CA be enabled?

The initial setup was, we have an internal CA the PAN was an Intermediate CA and our two PSN Intermediate CA's of the PAN node. 

In the Certificate Authority Certificates section I see an on my PAN 1

Certificate Services Intermediate CA - pan1 (signed by our Root)

Certificate Services Node CA - pan1 (signed by Certificate Services Intermediate CA - pan1)

Certificate Services Endpoint Sub CA - pan1 (signed by Certificate Services Node CA - pan1)

In PAN 2 i see

Certificate Services Node CA - pan2 (signed by Certificate Services Intermediate CA - pan1)

Certificate Services Endpoint Sub CA - pan2 (signed by Certificate Services Node CA - pan2)

In PSN 1 i see

Certificate Services Endpoint Sub CA - psn1 (signed by Certificate Services Node CA - pan1)

In PSN 2 i see

Certificate Services Endpoint Sub CA - psn2 (signed by Certificate Services Node CA - pan2)

I think on my PAN 2 there is a certificate missing signed by our Root CA.

Thanks in advanced

Alex

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1

‎05-07-2017 12:30 PM

Hi Alex

I'm not sure about changes in ISE 2.2 but in ISE 1.4 yo can check under the Certificate Authority Section to see if these CA & OSCP Responder is enabled or not for these ISE nodes.

I faced before on one PSN node that was not running the Certificate Authority Service and i checked the PSN and it didn't have the Certificate installed and once that is done the service got started just fine.

alex.dersch
Level 4
Level 4
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎05-07-2017 12:56 PM

Hi Mohamed,

thanks for your quick reply. My Internal CA setting look a bit different. But you have a different setup, you have Policy Service Persona enabled as well on the PAN.

But I think I should have the Certificate Authority Service enabled at at least on PAN, I remember the EST service was running as well on the PAN.

Very strange, 

here a screenshot of my PAN cli.

pan2/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 4841
Database Server running 68 PROCESSES
Application Server running 9740
Profiler Database running 6220
ISE Indexing Engine running 11000
AD Connector running 12447
M&T Session Database running 4309
M&T Log Collector running 9864
M&T Log Processor running 14047
Certificate Authority Service disabled
EST Service disabled

Preview file
391 KB
0 Helpful

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1
In response to alex.dersch

‎05-07-2017 01:43 PM

Hi Alex

I do understand that I have different setup with different ISE version (1.4 vs 2.2) but the basic ISE design remains the same.

Basically you would need this Certificate Authority Service for some ISE services like:

Bring Your Own Device (BYOD) / Network Service Protocol (NSP)
- Redirection
- Provisioning
- SCEP 

and those are handled by the ISE nodes with the PSN personas, So practically I don't think you need this services enabled for the Primary (Admin + Mnt) or the Secondary (Admin + Mnt)

In m case I need this services running on the PAN as it is also a PSN node servicing Clients.

Edit: the PAN is acting as the Root CA. So The PAN has a Root CA certificate and a Node CA certificate that is signed by the Root CA. and Any Policy Service Node (PSN) that you register with the PAN is provisioned an Endpoint CA and an OCSP certificate signed by the Node CA of the PAN.

The Policy Service Nodes (PSNs) are subordinate CAs to the PAN. When you use the ISE CA, the Endpoint CA on the PSN issues the certificates to the endpoints that access your network.

So I think yes the Certificate Authority Service  need to be enabled on the PAN and secondary PAN as well, for BOYD fow to function properly, In ISE 1.4 these Certificates hierarchy is inside Trusted Certificates.

In Cisco Identity Services Engine Administrator Guide, Release 2.2 it says "When you upgrade from earlier releases to Release 2.0 or later, we recommend that you regenerate the ISE CA chain to move from the two root hierarchy to a single root hierarchy."

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html

To be fair, This is interesting thing to know, if this would work if this service is disabled for the PAN so you can tested (if applicable) before turning it on for the PAN and if the BOYD flow is broken then yes it is needed and maybe the upgrade broke something.

0 Helpful

alex.dersch
Level 4
Level 4
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎05-14-2017 12:25 PM

Hello Mohamed,

I opened a TAC case for this issue. My problem was, i didn't use unique firendly names for my certs. So there was a conflict, which disabled the Certifaction Authority Service on my PAN nodes. 

Menelaos Sazos
Level 1
Level 1
In response to alex.dersch

‎07-05-2017 04:04 AM

Also for a one with a case "Certificate Authority Service disabled on a PAN" it's worth to mention that for the Certificate Authority Service to be enabled on the PAN in the ISE 2.2, PAN for some reason must be enabled with a Policy Services role, otherwise Certificate Authority Service will stay disabled.

Reason for that is both unobvious and undocumented, but it's a fact.

0 Helpful
Customers Also Viewed These Support Documents