This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
i'm stuck at registering inline posture node to primary node.
I doing fresh install both ISE appliance using version 1.1.1, patched all 3 available patach version after install.
AD and DNS were perfectly configure, ping using hostname able to resolve
Everything set, so both PSN and iPEP generate CSR and ready to let CA server to signed. But anyway this is the outcome i get Error message "Unable to authenticate. please check server and CA certificate."
- What certificate template to be use primary node and inline posture node?
I having problem the CA certsrv won't show computer template for inline posture node. can i use web server template and on the extension include client autthenticaiton andserver authentication on this case?
- What certficate template use for primay node CSR?
02. According to Cisco ISE user guide 1.1.1, it mentioned "Creating certificate trust list in Primary ISE Node"
So first action is importing Root and CA certificate . my rootCA.cer import to certification operation \ certifcate store, while CSR generated then Bind CA certificate.
question, should i check anything like "Tust for client authentication" checkbox or any other option to be check?
How about Inline Posture node, should i export the CA certificate and import to primary node's certificate store?
i am stuck,need guidance , thanks
I will try to explain the process i went through , iimported the root certificate to local certificates , marked for client authen anyway , then i generate the certificate signing requests , exported the .pem , open it with notepad , and in the CA webpage , i signed it with a template that gives me both EKU client and server authen , must be there for inline to authenticate , there s another combination that work as well , but i use both EKU enable , IT WILL NO WORK WITHOUT IT , then you go for bind ca , Mark the option in both 2 check box and that s it , go for admnistration - deployment and add the node , if you are using epa tls as authentication method , use windows 2003 template for the certificates .
Hope it helps.
I able to done on this job. thanks
But few thing need to highlight
01. cisco doc did not mentioned on need to import on identity cert, self-signed cert.
wasting time and effort on reading the documentation. boo on cisco
Is it this procedure?
Import CA root certificate, make CSR, create certificates on the Administration ISE node.