Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
0
Helpful
6
Replies

ISE 2.4 re-added to cluster help

MonkeyBear007
Level 1
Level 1

‎12-11-2024 08:15 AM - edited ‎12-11-2024 08:16 AM

We have ISE 2.4 

ISE 1-01 one blade server ( admin / monitoring )
ISE 1-02 one blade server ( policy )

ISE 2-01 one blade server ( admin / monitoring )
ISE 2-02 one blade server ( policy )

ISE 2 was decommission and trying to put it back to cluster so we can do PAN failover
yes i know version 2.4 is old but what i have to work with until we upgrade
ISE 1 has the update certs so vaild
ISE 2 certs expired and invaild

ISE 2 was re-sync to AD and Should I try to resync the ISE 1 and ISE 2 before trying to update the expired certs on ISE 2

 

0 Helpful
6 Replies 6

Aref Alsouqi
VIP
VIP

‎12-11-2024 08:38 AM

Synchronization will automatically happens between ISE 1 and 2. The certificate that was used before should work on ISE 2 as long as it has the same hostname and IP address if the IP is included into the cert SANs.

0 Helpful

MonkeyBear007
Level 1
Level 1
In response to Aref Alsouqi

‎12-11-2024 08:43 AM

ISE 1 doesn't have the SAN certs of ISE 2.
when certs were renewal for ISE 1 it only SANs include only ISE 1 and not ISE 2
ISE 2 was in storage for 2 years 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to MonkeyBear007

‎12-11-2024 09:11 AM

I see. In this case you just need to go to ISE 2 and generate the new CSR and then issue the certificate from your PKI. This process can be after you added ISE 2 to the deployment. However, in that case when you try to add ISE 2 to the deployment you will get a pop up warning about ISE 2 selfsigned certificate. Once you approve it the addition to the deployment will go ahead. If you want to avoid this warning message then you can import the new cert in ISE 2 and then add it to the deployment. The cert needs to be associated to the admin usage in ISE 2.

0 Helpful

MonkeyBear007
Level 1
Level 1
In response to Aref Alsouqi

‎12-11-2024 09:35 AM

I don't see option to when I login into ISE 2 web gui and CSR need to be done on ISE 1?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to MonkeyBear007

‎12-12-2024 01:31 AM

Probably you already added ISE 2 to the deployment? in that case yes the CSR would need to be generated in ISE 1. I don't believe you can leave the CN blank. Do you get any error when you try to generate the CSR? if so, could you please share the screenshot?

0 Helpful

MonkeyBear007
Level 1
Level 1
In response to Aref Alsouqi

‎12-11-2024 11:56 AM

I have the CN conflict and it's the same name and changing OU or U doesn't do anything.
Can i leave CN blank and ise SAN and list everything?

0 Helpful
Customers Also Viewed These Support Documents