Hello, am still new to the ISE AAA. I have 2 Ise nodes which are deployed in HA. Recently I had an issue with expired certs. Some self signed and others CA-signed by a local CA. EAP, Portal and Admin uses one Cert issued by CA. While renewing the EAP, Portal and Admin cert, I included ISE Messaging Cert on the PAN and later realized that It is stand alone self signed Cert on the Secondary meaning there is an inconsistency, which I believe is the reason the two nodes are not in sync as shown on the image below. I reverted it back to EAP, Portal and Admin, and imported the self signed ISE Messaging Cert from the Secondary Node to PAN hoping they will now sync but since they are still node in sync. What could be the other reason? What steps should I take to ensure they are in Sync.
Secondly, still on the issues with expired certs, DTLS cert is expired and also had issues with Anyconnect remote access. ISE is integrated to authenticate remote user via AD. Currently am able to input credentials by MFA is not able to reach my device as it times out, which I believe could be related to the DTLS cert which enables ISE communication with NAD (FMC/FTD). I renewed the cert but still the problem persist. Any input towards troubleshooting is greatly appreciated.
Hi Rob, actually I have been facing a problem renewing the EAP, Portal and Admin for Node2, I did very well with node one but when trying to generate CSR for node 2, i get the error attached
For VPN, am facing connectivity problem. Authentication is integrated with DUO MFA. I am able to enter credentials at the AnyConnect client but am not able to get DUO push on the phone. The sessions times out. It was working well before.
Hi @Dkiptoo ,
1st, at Administration > System > Deployment > put your mouse on the Node Status icon to check the error:
2nd, at Administration > System > Certificate Management > System Certificates, compare your Nodes Certificate, looking for any missing Certificate (for example).
Hope this helps !!!
