Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2771
Views
0
Helpful
2
Replies

Problems Using Self-Signed Certificates to Register Node

Go to solution
s1nsp4wn
Level 1
Level 1

‎07-22-2019 02:30 PM - last edited on ‎07-22-2019 04:04 PM by Cisco Employee

I'm trying to register a 2nd node into my ISE 2.4 deployment.  I get warned that the default self-signed device cert of the other ISE node is being offered and I click accept to trust it anyways.  I get the error

Unable to authenticate ISE <2nd-ISE-FQDN>. Please check certificate configuration.

Make sure from ‘Primary Admin node’, system certificate chain of registering node is present in ‘Trusted certificates’ and is enabled with ‘Trust for authentication within ISE’ option selected.

 

Well I exported that cert from the I want to register into the PAN i'm registering from to trusted store and selected use with ISE option as asked and I'm still greeted with that error.  Is this no the recommended way?  I'm using the suggestions from Cisco's admin guides and lab minutes youtube videos.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
s1nsp4wn
Level 1
Level 1
In response to hslai

‎07-23-2019 06:14 AM

Figured this out based on some of the description there.  The domain name I used during install locked in the self-signed cert so when I had to change the domain name because I later found out it was incorrect, this caused me problems.  I changed the domain name from the ISE command line, waited a few for new certs to generate, and imported those successfully and registered what I needed.  Thanks!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-22-2019 04:25 PM

The message is the same as reported in CSCvd33544

If possible, please open a TAC case, as our teams have not found a way to recreate it. And, one deployment had mismatched domain-name between what configured ISE admin CLI and shown in ISE admin web UI.

0 Helpful

Go to solution
s1nsp4wn
Level 1
Level 1
In response to hslai

‎07-23-2019 06:14 AM

Figured this out based on some of the description there.  The domain name I used during install locked in the self-signed cert so when I had to change the domain name because I later found out it was incorrect, this caused me problems.  I changed the domain name from the ISE command line, waited a few for new certs to generate, and imported those successfully and registered what I needed.  Thanks!

0 Helpful
Customers Also Viewed These Support Documents