Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5473
Views
20
Helpful
4
Replies

ISE - Expired Certificate on de-auth node

Go to solution
HomeroVautier83
Level 1
Level 1

‎08-02-2021 07:15 AM

Hi Experts,

 

I'm very new to ISE, can you guys help me with this issue?

 

I have a 4 VM ISE version 2.4.0.357, 2 admin and monitoring and 2 policy services

We had an issue with one policy node, status was red... I tried to deregister and register it back again, but the self-signed cert is expired, so it won't let me register it back again.

 

Self-signed certs are expired from all my nodes.

 

Is there a way to generate a self-signed cert trought the CLI, so I could do that and add the node back to deployment?

 

Thanks in advance

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-02-2021 05:52 PM

No, there is no way to manage the identity certificates via the CLI. You will need to connect to the GUI of each individual node and generate new self-signed certificates.

Since you are using self-signed certificates, you will also need to export the new certs and import them to each of the other node Trusted Certificates stores that each node trusts each other node's Admin cert before trying to rejoin the nodes to the cluster.

Best practice is to use CA-signed certificates with a common root CA so that each node inherently trusts the others with the same trust chain.

For more info, see:

TLS/SSL Certificates in ISE 

How To Implement Digital Certificates in ISE 

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to HomeroVautier83

‎08-04-2021 03:33 PM

When the Secondary nodes cannot sync with the Primary, they must be reverted to Standalone mode to generate new certificates. At this point, you have little option but to rebuild the cluster. From the CLI on the secondary nodes, you will have to issue the 'application reset-config ise' command. Once the database is reset and the application server has started again, you will be able to generate self-signed certs (or better yet, CSRs and CA-signed certs) and join the nodes back to the Primary PAN to rebuild the cluster. The policy configuration is stored in the Primary PAN, so the rebuilt Secondary nodes will sync their configs upon joining the cluster again.

You can either do multiple nodes at a time during an outage window, or rebuild one PSN at a time so that you still have one active PSN to continue handling endpoint sessions (depending on how your H/A architecture is built).

After getting the cluster back to a healthy state again, you should also strongly consider upgrading to a newer software version as 2.4 reaches End of Software Maintenance in a few months.

View solution in original post

Go to solution
HomeroVautier83
Level 1
Level 1

‎12-07-2021 12:37 PM

Hello, Greg!

 

Sorry for taking too long to respond, but I've only had time to perform the "application reset-config ise" today and I was able to successfully restore the node and add it back to the cluster. Only thing to do was to remove the expired cert from the trusted certificates in primary PAN.

 

Thanks

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-02-2021 05:52 PM

No, there is no way to manage the identity certificates via the CLI. You will need to connect to the GUI of each individual node and generate new self-signed certificates.

Since you are using self-signed certificates, you will also need to export the new certs and import them to each of the other node Trusted Certificates stores that each node trusts each other node's Admin cert before trying to rejoin the nodes to the cluster.

Best practice is to use CA-signed certificates with a common root CA so that each node inherently trusts the others with the same trust chain.

For more info, see:

TLS/SSL Certificates in ISE 

How To Implement Digital Certificates in ISE 

Go to solution
HomeroVautier83
Level 1
Level 1
In response to Greg Gibbs

‎08-04-2021 07:27 AM

Hello Greg,

 

Thanks for you reply.

 

Couldn't find a way to generate the new self-signed cert from the other nodes. The option only appears in the primary administration node, and for the nodes already in the deployment.

 

That means I won't be able to add the node back?

 

 

Preview file
45 KB
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to HomeroVautier83

‎08-04-2021 03:33 PM

When the Secondary nodes cannot sync with the Primary, they must be reverted to Standalone mode to generate new certificates. At this point, you have little option but to rebuild the cluster. From the CLI on the secondary nodes, you will have to issue the 'application reset-config ise' command. Once the database is reset and the application server has started again, you will be able to generate self-signed certs (or better yet, CSRs and CA-signed certs) and join the nodes back to the Primary PAN to rebuild the cluster. The policy configuration is stored in the Primary PAN, so the rebuilt Secondary nodes will sync their configs upon joining the cluster again.

You can either do multiple nodes at a time during an outage window, or rebuild one PSN at a time so that you still have one active PSN to continue handling endpoint sessions (depending on how your H/A architecture is built).

After getting the cluster back to a healthy state again, you should also strongly consider upgrading to a newer software version as 2.4 reaches End of Software Maintenance in a few months.

Go to solution
HomeroVautier83
Level 1
Level 1

‎12-07-2021 12:37 PM

Hello, Greg!

 

Sorry for taking too long to respond, but I've only had time to perform the "application reset-config ise" today and I was able to successfully restore the node and add it back to the cluster. Only thing to do was to remove the expired cert from the trusted certificates in primary PAN.

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents