01-20-2019 01:01 PM - edited 01-20-2019 01:12 PM
I'm finding it hard to understand the correct process of backup and restore for ISE with regards to BYOD and certificates.
I have a two node deployment with Primary PAN and Secondary PAN. BYOD is working and we have 300 registered devices with issued device certificates. The ISE is using the internal BYOD certificate authority server. The ISE admin/eap certificate is self-signed on each node and the BYOD portal certificate is a public certificate on each node.
I have backed up the config from Primary PAN. I have also manually exported with keys all the system certificates from each node. Now according to the documentation it states I should use the "application configure ise" command and export the internal CA store to a repository - which I have done.
However what i'm confused about is what the next steps are. Some documentation states I should use the "application configure ise" to import the CA store into the Secondary PAN in order for it to issue and manage certificates for endpoints when the PAN is down and you promote the Secondary Administration Node to be the PAN "After you register the Secondary Administration Node, you must export the CA certificates and keys from the PAN and import them in to the Secondary Administration Node." admin guide
Other documentation says you only import after a disaster recovery. Some documentation states you should regenerate Root CA after rebuild but wouldn't that affect the 300 clients forcing a re-enrolment?
Has anyone every restored from PAN failure when using BYOD and if so what is the correct process?
01-20-2019 10:51 PM
admin Guide says-
You must export the CA certificates and keys from the PAN to import them on the Secondary Administration Node. This option enables the Secondary Administration Node to issue and manage certificates for endpoints when the PAN is down and you promote the Secondary Administration Node to be the PAN.
This is needed only in case you have to promote your secondary node to Primary in case there is failure with Primary PAN.
Configuration backup does not backup certificates and hence, manually using application configure ISE options to export and import has to be used.
more details can be found here- https://community.cisco.com/t5/security-documents/upgrading-to-identity-services-engine-2-1-in-a-distributed/ta-p/3655783#toc-hId-59122548
Thanks,
Nidhi
01-20-2019 11:38 PM
Hi, yes that's what the guide says. However if I run the command on the secondary PAN it says "certificates being imported do not match this devices hostname". So I cancelled it. Is this a standard warning and should I ignore it?
12-04-2019 06:49 AM
I have a problem importing the CA certificates on the Secondary PAN. It is just a simple two nodes deployment with default configuration.
Export CA certificates on PAN (P) works fine. But import the same CA certificates on the PAN(S) gives the following error message:
Certificates are not compliant. Try to export certificates and import again.
Operation aborted. CA keys file is not acceptable
Any ideas?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide