02-28-2019 11:37 PM
Hello guys,
I have a problem...
I need to create a synchronize database betewen two serveur ISE (ISE1 Primary server and ISE2 secondary server).
More precisely, i would like the identities create on my ISE1 server to be automatically replicated to the ISE2 server.
I have already imported the certificates and activated the option "Trust for authentication within ISE" But an error message occurs....
"Unable to authenticate ISE SGISE02.tiretech.contiwan.com. Please check server and CA certificate configuration and make sure 'Trust for authentication within ISE' option is selected."
Thx you....
Solved! Go to Solution.
03-01-2019 04:46 AM
When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube). That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.
The issue you're describing seems to be with the secondary PAN registration. If you don't have certificate trust between the two servers then the registration will fail.
The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server). Then install the PKI CA cert chain on ALL of your ISE nodes. Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).
Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.
Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.
03-01-2019 04:46 AM
When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube). That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.
The issue you're describing seems to be with the secondary PAN registration. If you don't have certificate trust between the two servers then the registration will fail.
The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server). Then install the PKI CA cert chain on ALL of your ISE nodes. Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).
Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.
Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide