Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2056
Views
0
Helpful
1
Replies

Synchronize database into Cisco ISE

Go to solution
Etlicher
Level 1
Level 1

‎02-28-2019 11:37 PM

Hello guys, 

 

I have a problem...

I need to create a synchronize database betewen two serveur ISE (ISE1 Primary server and ISE2 secondary server).

 

More precisely, i would like the identities  create on my ISE1 server to be automatically replicated to the ISE2 server.

 

I have already imported the certificates and activated the option "Trust for authentication within ISE" But an error message occurs....

 

"Unable to authenticate ISE SGISE02.tiretech.contiwan.com. Please check server and CA certificate configuration and make sure 'Trust for authentication within ISE' option is selected."

 

Thx you....

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎03-01-2019 04:46 AM

When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube).  That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.

 

The issue you're describing seems to be with the secondary PAN registration.  If you don't have certificate trust  between the two servers then the registration will fail.

The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server).   Then install the PKI CA cert chain on ALL of your ISE nodes.  Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).

Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.

Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎03-01-2019 04:46 AM

When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube).  That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.

 

The issue you're describing seems to be with the secondary PAN registration.  If you don't have certificate trust  between the two servers then the registration will fail.

The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server).   Then install the PKI CA cert chain on ALL of your ISE nodes.  Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).

Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.

Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.

 

0 Helpful
Customers Also Viewed These Support Documents