Solved: ISE- unable to register a node

avinash2092 · ‎06-07-2015

Hi all,

We are trying to integrate a new ISE node as a PSN to our current setup. When we try to register we are getting below error messages. Does anyone has faced same issue. Also need clarity on these error messages.

When trying to register with IP address we are getting error message as below:

Unable to authenticate ISE secondary_ise_name. Please check server and CA certificate configuration and try again .

When trying to register with FQDN we are getting error message as below :

FQDN 'XYZ.local.com' which cannot be resolved. Please check your DNS configuration.

So need clarity whether this is a DNS or Certificate issue.

Regards,

Avinash

krishnangangster · ‎06-08-2015

Hi,

Please make sure that your FQDN is resolvable by your ISE.

For that you need to add entry for DNS in your Server.

View solution in original post

ajc · ‎06-11-2015

Depending on what version of ISE you are running the new PSN MUST have a certificate signed by the same CA Server like the Primary PAN Node.

On Version 1.2 and above, the Primary PAN validates the certificate presented by the new PSN so it can join to the current deployment. In addition to that you MUST have in the DNS an entry for the FQDN of the new PSN. In the previous 1.1.3 version you could include a new PSN only with the IP but this option is NO more available. The Primary PAN Node requests the IP of the new PSN Node from DNS based on the FQDN provided during the join process.

Hoping this helps.

View solution in original post

jrabinow · ‎06-07-2015

Did you install the server certificate of the seconday in the trust certificate list of the primary

I think this is required to enable the communications

avinash2092 · ‎06-07-2015

We are adding this as a pure PSN node. Its certificate has been added in certificate store in primary admin node

krishnangangster · ‎06-08-2015

Hi,

Please make sure that your FQDN is resolvable by your ISE.

For that you need to add entry for DNS in your Server.

ajc · ‎06-11-2015

Depending on what version of ISE you are running the new PSN MUST have a certificate signed by the same CA Server like the Primary PAN Node.

On Version 1.2 and above, the Primary PAN validates the certificate presented by the new PSN so it can join to the current deployment. In addition to that you MUST have in the DNS an entry for the FQDN of the new PSN. In the previous 1.1.3 version you could include a new PSN only with the IP but this option is NO more available. The Primary PAN Node requests the IP of the new PSN Node from DNS based on the FQDN provided during the join process.

Hoping this helps.

alberx · ‎08-18-2015

When you add the PSN server certificate to the trust store in primary, did you tick the "trust for ISE registration"?

ajc · ‎08-18-2015

Hi Alberx,

Based on my understanding, you do not need to add the PSN's certificates into the PAN Primary ISE trust store at least on version 1.2.1.198. You only have to install the certificate in the corresponding PSN, that certificate could be a SAN Certificate that includes all the FQDN Names of the ISE nodes in your deployment (actually I am using only 1 common certificate for all my deployment - 12 ISE's) but that certificate must be signed for the same CA Server like Primary PAN Cert.

Regarding the "trust for ISE Registration", I would say YES to tick it because when you are building the deployment, the certificate presented by each PSN or MNT Node to be integrated with the Prim PAN Node is used so PAN Node can check if the CA Server who signed the MNT/PSN cert is a valid one during the registration process.

Hoping this helps.

Venkatesh Attuluri · ‎06-11-2015

make sure you have secondary PSN certificate in primary PSN and secondary PSN dns should be resolvable . if still issue check "ise-psc.log" can give you insight