Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5108
Views
1
Helpful
4
Replies

ISE PIC Integration with AD, FMC

Go to solution
haroungh
Level 1
Level 1

‎10-28-2021 12:43 AM

 Hi Dears,

i am doing ise-pic lab and i got the follwing error when i  have tried to enable pxgrid service in admin cert, admin cert  is signed by CA

pxgrid-service.png

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-28-2021 02:28 AM - edited ‎10-28-2021 02:30 AM

@haroungh you cannot simply bind any certificate to the pxgrid service, the certificate in use must have a certificate with both server and client extended key usages (EKU’s). The admin certificate does not have both of these EKUs, so you will need to create a certificate specifically used for pxgrid. More information:

 

https://community.cisco.com/t5/security-documents/how-to-deploying-certificates-with-pxgrid-ca-signed-ise-pxgrid/ta-p/3626277

https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/

https://www.ciscolive.com/global/on-demand-library.html?search=ise&search.event=ciscolive2021&search.event=ciscoliveus2020&search=ise#/session/1573153556309001Jgr6

 

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎10-28-2021 02:28 AM - edited ‎10-28-2021 02:30 AM

@haroungh you cannot simply bind any certificate to the pxgrid service, the certificate in use must have a certificate with both server and client extended key usages (EKU’s). The admin certificate does not have both of these EKUs, so you will need to create a certificate specifically used for pxgrid. More information:

 

https://community.cisco.com/t5/security-documents/how-to-deploying-certificates-with-pxgrid-ca-signed-ise-pxgrid/ta-p/3626277

https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/

https://www.ciscolive.com/global/on-demand-library.html?search=ise&search.event=ciscolive2021&search.event=ciscoliveus2020&search=ise#/session/1573153556309001Jgr6

 

Go to solution
haroungh
Level 1
Level 1
In response to Rob Ingram

‎10-28-2021 04:42 AM

Hi @Rob Ingram ,

thanks in advance for your support, 

 actually i am using  ise-pic as CA server and i have generated fmc identity certificate and key after that i have uploaded the ise ISE CA, sub, to trust certs and uploaded as well fmc identity cert with key to internal cert.

when i  have tried to joing tmc  to ise and  it is failed again, take a look bellow

 

ISE-test failed.PNG

 

Primary host:
[INFO]: PXGrid v2 is enabled
[ERROR]: Failed to contact pxGrid node at '192.168.0.250': Server returned 401: Unauthorized


Secondary host:
[INFO]: PXGrid v2 is enabled
[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed
[ERROR]: HttpsStringRequest SSL error: 2021-10-28 11:35:03(GMT): Starting SSL Handshake, SSL state:before SSL initialization
2021-10-28 11:35:03(GMT): SSL State:before SSL initialization
2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello
2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello
2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello
2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello
2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello
2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello
2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS write client hello
2021-10-28 11:35:03(GMT): SSL State:SSLv3/TLS read server hello
2021-10-28 11:35:03(GMT): Entering OpenSSL verify callback, preverified:0, error: self signed certificate in certificate chain, error depth: 3, current_cert: Certificate with Serial Number '0x29DC468856CB4C4CA097BA9FC8CE50AF', issued by 'CN = Certificate Services Root CA - ise-pic-01', to 'CN = Certificate Services Root CA - ise-pic-01'
2021-10-28 11:35:03(GMT): Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x0CC3C225409C4914ACCFF91E18550D9A', issued by 'CN = Certificate Services Endpoint Sub CA - ise-pic-02', to 'OU = Certificate Services System Certificate, CN = ise-pic-02.cisco.corp'
...because SSL negotiation encountered error: self signed certificate in certificate chain
...while validating this entry in the certificate chain: Certificate with Serial Number '0x29DC468856CB4C4CA097BA9FC8CE50AF', issued by 'CN = Certificate Services Root CA - ise-pic-01', to 'CN = Certificate Services Root CA - ise-pic-01'
2021-10-28 11:35:03(GMT): Sending SSL alert:unknown CA
2021-10-28 11:35:03(GMT): SSL State:error
[ERROR]: Failed to contact pxGrid node at '192.168.0.251': Handshake error to 192.168.0.251:8910

 

0 Helpful

Go to solution
Carces
Level 1
Level 1
In response to haroungh

‎07-29-2022 08:00 AM

Hello @haroungh  Were you able to solve the problem for the integration? I have  the same error message

0 Helpful

Go to solution
mbargers
Level 1
Level 1

‎11-23-2023 08:51 AM

Anyone have a solution for @haroungh problem. I am getting the same error that is shown above on the secondary host:

[INFO]: PXGrid v2 is enabled
[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed
[ERROR]: HttpsStringRequest SSL error: 2021-10-28 11:35:03(GMT): Starting SSL Handshake, SSL state:before SSL initialization

0 Helpful
Customers Also Viewed These Support Documents