cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

430
Views
0
Helpful
1
Replies
Etlicher
Beginner

Synchronize database into Cisco ISE

Hello guys, 

 

I have a problem...

I need to create a synchronize database betewen two serveur ISE (ISE1 Primary server and ISE2 secondary server).

 

More precisely, i would like the identities  create on my ISE1 server to be automatically replicated to the ISE2 server.

 

I have already imported the certificates and activated the option "Trust for authentication within ISE" But an error message occurs....

 

"Unable to authenticate ISE SGISE02.tiretech.contiwan.com. Please check server and CA certificate configuration and make sure 'Trust for authentication within ISE' option is selected."

 

Thx you....

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Arne Bier
VIP Advisor

When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube).  That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.

 

The issue you're describing seems to be with the secondary PAN registration.  If you don't have certificate trust  between the two servers then the registration will fail.

The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server).   Then install the PKI CA cert chain on ALL of your ISE nodes.  Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).

Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.

Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.

 

View solution in original post

1 REPLY 1
Arne Bier
VIP Advisor

When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube).  That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.

 

The issue you're describing seems to be with the secondary PAN registration.  If you don't have certificate trust  between the two servers then the registration will fail.

The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server).   Then install the PKI CA cert chain on ALL of your ISE nodes.  Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).

Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.

Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.

 

View solution in original post

Content for Community-Ad