Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1679
Views
0
Helpful
9
Replies

ISE Distributed Deployment Not Authenticating with Primary Node

Go to solution
jdmaybe
Level 1
Level 1

‎11-16-2022 09:31 AM

After a storage failure, had to recreate a new ISE instance. Upon rebuilding and relicensing, attempting to re-register the node into the distributed deployment (after confirming most up to date version and patch across sites), getting the following error,

 

"Unable to authenticate ISE (FQDN) Please check certificate configuration. 

Make sure from 'Primary Admin Node' system certificate chain of registering node is present in 'Trusted certificates' and 'Trust for authentication with ISE' Option selected."

After doing both of those things, (using self-signed) and manually importing the appropriate certificates to each node, still receiving the same error. 

 

Thanks in advance

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jdmaybe
Level 1
Level 1

‎11-18-2022 10:59 AM

Turns out 1/3 DNS servers had a second, old POR for the node in question that was responding first, despite rx'ing the correct response from nslookup in the node. Had to go into the DNS server and delete the old POR. Cert error message resolved right after that. 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
marce1000
VIP
VIP

‎11-17-2022 05:33 AM

 

 - FYI : https://community.cisco.com/t5/network-access-control/ise-unable-to-register-a-node/td-p/2673444

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
jdmaybe
Level 1
Level 1

‎11-17-2022 08:54 AM

DNS resolves both ways and both nodes have the corresponding cert from the other as well. 

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to jdmaybe

‎11-17-2022 09:15 AM

 

 - When trying to register, on both the 'client' node and the Primary Node issue : show logging system ade/ADE.log  , check if any additional info's can be found (use the command on both nodes)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
jdmaybe
Level 1
Level 1

‎11-17-2022 11:49 AM

Nothing there, nor anything relevant in system general log for either node 30 min prior or after attempted registration

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to jdmaybe

‎11-17-2022 12:06 PM

Hi @jdmaybe,

You've double confirmed that your self-signed certificate indeed contains FQDN of ISE server? On both PAN and newly installed node? And you have both forward and reverse DNS records, for both servers?

You are also using FQDN for registration, not IP address?

Kind regards,

Milos

0 Helpful

Go to solution
jdmaybe
Level 1
Level 1
In response to Milos_Jovanovic

‎11-17-2022 12:39 PM

Thanks Milos, yes to both. Multiple folks have confirmed certs are good. Also have a third node in the deployment to match against that is working. 

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to jdmaybe

‎11-18-2022 05:29 AM

 

 - Make sure that the involved FQDN(s) also have correct PTR-records, 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
davidgfriedman
Level 1
Level 1

‎11-17-2022 12:23 PM

I always add the FQDN as a SAN DNS and the IP Address as a SAN IP, on top of having the FQDN as the common name. Some browsers require it in the SAN DNS field.  

Also, can you verify it from a linux server?  For example, on my linux server I use an openssl call to see the certificate chain, separate from my Windows machine:

openssl s_client ise.yourdomain.com:443

Then, I check the first few results:

depth=2 CN = YOURROOT
verify return:1
depth=1 DC = com, DC = yourdomain, CN = YOURISSUER
verify return:1
depth=0 C = US, ST = NY, L = City, O = Your Company, Inc, OU = SOMEOU, CN = ise.yourdomain.com
verify return:1
CONNECTED(00000003)
---
Certificate chain

0 s:C = US, ST = NY, L = City, O = Your Company, Inc, OU = SOMEOU, CN = ise.yourdomain.com
i:DC = com, DC = yourdomain, CN = YOURISSUER
1 s:DC = com, DC = yourdomain, CN = YOURISSUER
i:CN = YOURROOT
2 s:CN = YOURROOT
i:CN = YOURROOT

There is a lot more after that, but the first few lines show the installed chain, no worrying about IE, Edge, Mozilla or Chrome configs.  If I find it looks good with the openssl check, then the rest is just some browser crap and the Admin GUI was correct.

Regards,
David

0 Helpful

Go to solution
jdmaybe
Level 1
Level 1

‎11-18-2022 10:59 AM

Turns out 1/3 DNS servers had a second, old POR for the node in question that was responding first, despite rx'ing the correct response from nslookup in the node. Had to go into the DNS server and delete the old POR. Cert error message resolved right after that. 

0 Helpful
Customers Also Viewed These Support Documents