Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
5
Replies

ISE and Tenable Integration

Go to solution
eric-stewart-13-ctr
Level 1
Level 1

‎05-08-2024 07:06 AM

I am having an issue with Cisco ISE and TenableSC integration. In Cisco documentation it reads that i need to upload the system and root certificates from TenableSC. By using:

sudo scp /opt/sc/support/conf/TenableCA.crt [username]@[your ip address]:TenableCA.crt

sudo scp /opt/sc/support/conf/SecurityCenter.crt [username]@[your ip address]:SecurityCenter.crt

My questions are: Do I have to upload any Cisco ISE certificates into Tenable? What happens is the TenableCA certificate is expired? Is there a way to regenerate it? Are both needed?

I am setting up the Tenable adapter in the TC-NAC section and am getting this error code:

"Error connecting to Tenable Security Center, Error establishing https connection: Received fatal alert: handshake_failure"

I am also getting an error when uploading the Root CA certificate from Tenable:

"This trust certificate does not contain basicConstraint extension set to CA."

Any help or guidance is greatly appreciated.

Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
eric-stewart-13-ctr
Level 1
Level 1
In response to eric-stewart-13-ctr

‎08-20-2024 09:35 AM

For anyone looking this up in the future, I was able to solve this by changing the SCAN_DEFAULT_SCAN_TIMEOUT parameter value (under /opt/sc/src/) to 43200 on Tenable. 

This information is in the Admin guide but it was easily missed.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎05-08-2024 10:44 PM

I have never setup such an integration, but in any case, ISE is correct: if a certificate claims to be the "Root CA" then it must have the basicConstraint extension set to CA. Perhaps the cert you're trying to import into ISE is not the Tenable Root CA, but rather, the Tenable system certificate (i.e. the cert with which tenable identifies itself). You must not install any non-CA certs into the ISE Trust Center - instead, you must find out which CA (or CA chain) is involved in creating/signing the Tenable System cert, and then install that in ISE.

As for the question of whether to install ISE cert in tenable, it depends what kind of a connection is used - who initiates the connection? Is it ISE or Tenable? In most web-based systems, it's always the client who needs to check whether it trusts the server (and not the other way around) - the trust can be computed by having the CA (chain) installed in your trust store of the server you're attempting to connect to.

0 Helpful

Go to solution
antisocial11224
Spotlight
Spotlight

‎05-11-2024 02:43 AM

@eric-stewart-13-ctr wrote:

I am having an issue with Cisco ISE and TenableSC integration. In Cisco documentation it reads that i need to upload the system and root certificates from TenableSC. By using:

sudo scp /opt/sc/support/conf/TenableCA.crt [username]@[your ip address]:TenableCA.crt

sudo scp /opt/sc/support/conf/SecurityCenter.crt [username]@[your ip address]:SecurityCenter.crt

My questions are: Do I have to upload any Cisco ISE certificates into Tenable? What happens is the TenableCA certificate is expired? Is there a way to regenerate it? Are both needed?

I am setting up the Tenable adapter in the TC-NAC section and am getting this error code:

"Error connecting to Tenable Security Center, Error establishing https connection: Received fatal alert: handshake_failure"

I am also getting an error when uploading the Root CA certificate from Tenable:

"This trust certificate does not contain basicConstraint extension set to CA."

Any help or guidance is greatly appreciated.

To establish the connection, Cisco documentation advises uploading system and root certificates from TenableSC to Cisco ISE. However, there's no need to upload Cisco ISE certificates to TenableSC. If the TenableCA certificate expires, it must be regenerated within TenableSC. The error messages you're encountering likely stem from certificate configuration or compatibility issues between the systems.

0 Helpful

Go to solution
eric-stewart-13-ctr
Level 1
Level 1

‎06-10-2024 10:10 AM

Anyone else having issues with the Tenable adapter showing "Unknown/Unreachable"? The status did show "Disconnected/Active" at one point so im not sure how it took a step back. I can not find ANY documentation on troubleshooting this.

0 Helpful

Go to solution
eric-stewart-13-ctr
Level 1
Level 1

‎08-01-2024 09:39 AM

Anyone see this issue yet with a Tenable.SC and Cisco ISE integration. Tenble.SC version: 6.3. Cisco ISE 3.1 P8

2024-08-01 16:31:30.063
<adapter>
90d0b7e3-9884-483e-b35f-63506e513ecd
Tenable Security Center
VA Failure
ehuisepsn02
<MAC>
<IP>
Scan failed: Error in connecting to host: 403 Forbidden
2024-08-01 16:29:01.029
<adapter>
90d0b7e3-9884-483e-b35f-63506e513ecd
Tenable Security Center
VA request submitted to adapter
ehuisepsn02
<MAC>
<IP>
VA request submitted to adapter for processing

0 Helpful

Go to solution
eric-stewart-13-ctr
Level 1
Level 1
In response to eric-stewart-13-ctr

‎08-20-2024 09:35 AM

For anyone looking this up in the future, I was able to solve this by changing the SCAN_DEFAULT_SCAN_TIMEOUT parameter value (under /opt/sc/src/) to 43200 on Tenable. 

This information is in the Admin guide but it was easily missed.

0 Helpful
Customers Also Viewed These Support Documents