Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

430
Views
0
Helpful
1
Replies
Etlicher
Beginner
Beginner
‎02-28-2019 11:37 PM
‎02-28-2019 11:37 PM

Synchronize database into Cisco ISE

Hello guys, 

 

I have a problem...

I need to create a synchronize database betewen two serveur ISE (ISE1 Primary server and ISE2 secondary server).

 

More precisely, i would like the identities  create on my ISE1 server to be automatically replicated to the ISE2 server.

 

I have already imported the certificates and activated the option "Trust for authentication within ISE" But an error message occurs....

 

"Unable to authenticate ISE SGISE02.tiretech.contiwan.com. Please check server and CA certificate configuration and make sure 'Trust for authentication within ISE' option is selected."

 

Thx you....

 

 

0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Arne Bier
VIP Advisor VIP Advisor
VIP Advisor
‎03-01-2019 04:46 AM
‎03-01-2019 04:46 AM

When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube).  That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.

 

The issue you're describing seems to be with the secondary PAN registration.  If you don't have certificate trust  between the two servers then the registration will fail.

The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server).   Then install the PKI CA cert chain on ALL of your ISE nodes.  Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).

Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.

Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.

 

View solution in original post

0 Helpful
1 REPLY 1
Arne Bier
VIP Advisor VIP Advisor
VIP Advisor
‎03-01-2019 04:46 AM
‎03-01-2019 04:46 AM

When you register a secondary PAN node to your initial PRIMARY PAN node, then you are creating a deployment (ISE Cube).  That has the built in effect that the Secondary PAN will be kept in sync with the Primary PAN.

 

The issue you're describing seems to be with the secondary PAN registration.  If you don't have certificate trust  between the two servers then the registration will fail.

The cleanest way to make this happen is to create Admin certs from a common PKI (e.g. your internal Windows CA Server).   Then install the PKI CA cert chain on ALL of your ISE nodes.  Then import the ISE Admin to each node (or if you created a CSR per node, then simply bind the cert from your PKI back to each node).

Then when you register node 02 to node 01, the node 01 will trust the cert of node 02 because the node 02 cert was issued by a CA that is in node 01's trust store.

Don't be tempted to import each other's ISE self-signed Admin cert - that's the quick and dirty (and lazy) approach.

 

View solution in original post

0 Helpful
Latest Contents
ISE as RADIUS server for Password + Smart Card Authenticatio...
Created by deepuvarghese1 on 04-17-2021 06:22 AM
1
10
1
10
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS... view more
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
2
5
2
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
FMT 2.3.4 adding ASA migrations of S2S VPN in public beta
Created by William_Hansch on 03-22-2021 08:00 AM
1
10
1
10
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA: Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center VP... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 03-22-2021 04:40 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Content for Community-Ad