cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
917
Views
0
Helpful
5
Replies

ISE and Tenable Integration

I am having an issue with Cisco ISE and TenableSC integration. In Cisco documentation it reads that i need to upload the system and root certificates from TenableSC. By using:

sudo scp /opt/sc/support/conf/TenableCA.crt [username]@[your ip address]:TenableCA.crt

sudo scp /opt/sc/support/conf/SecurityCenter.crt [username]@[your ip address]:SecurityCenter.crt

My questions are: Do I have to upload any Cisco ISE certificates into Tenable? What happens is the TenableCA certificate is expired? Is there a way to regenerate it? Are both needed?

I am setting up the Tenable adapter in the TC-NAC section and am getting this error code:

"Error connecting to Tenable Security Center, Error establishing https connection: Received fatal alert: handshake_failure"

I am also getting an error when uploading the Root CA certificate from Tenable:

"This trust certificate does not contain basicConstraint extension set to CA."

Any help or guidance is greatly appreciated.

1 Accepted Solution

Accepted Solutions

For anyone looking this up in the future, I was able to solve this by changing the SCAN_DEFAULT_SCAN_TIMEOUT parameter value (under /opt/sc/src/) to 43200 on Tenable. 

This information is in the Admin guide but it was easily missed.

View solution in original post

5 Replies 5

Arne Bier
VIP
VIP

I have never setup such an integration, but in any case, ISE is correct: if a certificate claims to be the "Root CA" then it must have the basicConstraint extension set to CA. Perhaps the cert you're trying to import into ISE is not the Tenable Root CA, but rather, the Tenable system certificate (i.e. the cert with which tenable identifies itself). You must not install any non-CA certs into the ISE Trust Center - instead, you must find out which CA (or CA chain) is involved in creating/signing the Tenable System cert, and then install that in ISE.

As for the question of whether to install ISE cert in tenable, it depends what kind of a connection is used - who initiates the connection? Is it ISE or Tenable? In most web-based systems, it's always the client who needs to check whether it trusts the server (and not the other way around) - the trust can be computed by having the CA (chain) installed in your trust store of the server you're attempting to connect to.

antisocial11224
Spotlight
Spotlight

@eric-stewart-13-ctr wrote:

I am having an issue with Cisco ISE and TenableSC integration. In Cisco documentation it reads that i need to upload the system and root certificates from TenableSC. By using:

sudo scp /opt/sc/support/conf/TenableCA.crt [username]@[your ip address]:TenableCA.crt

sudo scp /opt/sc/support/conf/SecurityCenter.crt [username]@[your ip address]:SecurityCenter.crt

My questions are: Do I have to upload any Cisco ISE certificates into Tenable? What happens is the TenableCA certificate is expired? Is there a way to regenerate it? Are both needed?

I am setting up the Tenable adapter in the TC-NAC section and am getting this error code:

"Error connecting to Tenable Security Center, Error establishing https connection: Received fatal alert: handshake_failure"

I am also getting an error when uploading the Root CA certificate from Tenable:

"This trust certificate does not contain basicConstraint extension set to CA."

Any help or guidance is greatly appreciated.


To establish the connection, Cisco documentation advises uploading system and root certificates from TenableSC to Cisco ISE. However, there's no need to upload Cisco ISE certificates to TenableSC. If the TenableCA certificate expires, it must be regenerated within TenableSC. The error messages you're encountering likely stem from certificate configuration or compatibility issues between the systems.

Anyone else having issues with the Tenable adapter showing "Unknown/Unreachable"? The status did show "Disconnected/Active" at one point so im not sure how it took a step back. I can not find ANY documentation on troubleshooting this.

Anyone see this issue yet with a Tenable.SC and Cisco ISE integration. Tenble.SC version: 6.3. Cisco ISE 3.1 P8

2024-08-01 16:31:30.063
<adapter>
90d0b7e3-9884-483e-b35f-63506e513ecd
Tenable Security Center
VA Failure
ehuisepsn02
<MAC>
<IP>
Scan failed: Error in connecting to host: 403 Forbidden
2024-08-01 16:29:01.029
<adapter>
90d0b7e3-9884-483e-b35f-63506e513ecd
Tenable Security Center
VA request submitted to adapter
ehuisepsn02
<MAC>
<IP>
VA request submitted to adapter for processing

For anyone looking this up in the future, I was able to solve this by changing the SCAN_DEFAULT_SCAN_TIMEOUT parameter value (under /opt/sc/src/) to 43200 on Tenable. 

This information is in the Admin guide but it was easily missed.