cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2462
Views
0
Helpful
3
Replies
Highlighted
Contributor

unable to register ISE inline posture node

Hi all,

i'm stuck at registering inline posture node to primary node.

I doing fresh install both ISE appliance using version 1.1.1, patched all 3 available patach version after install.

AD and DNS were perfectly configure, ping using hostname able to resolve

Everything  set, so both PSN and iPEP generate CSR and ready to let CA server to  signed. But anyway this is the outcome i get Error message "Unable to  authenticate. please check server and CA certificate."

my question:

01.

- What certificate template to be use primary node and inline posture node?

I  having problem the CA certsrv won't show computer template for inline  posture node. can i use web server template and on the extension include  client autthenticaiton andserver authentication on this case?

- What certficate template use for primay node CSR?

02. According to Cisco ISE user guide 1.1.1, it mentioned "Creating certificate trust list in Primary ISE Node"

So  first action is importing Root and CA certificate . my rootCA.cer  import to certification operation \ certifcate store, while CSR  generated then Bind CA certificate.

question, should i check anything like "Tust for client authentication" checkbox or any other option to be check?

How about Inline Posture node, should i export the CA certificate and import to primary node's certificate store?

i am stuck,need guidance , thanks

Noel

3 REPLIES 3
Highlighted

Hi ,

I will try to explain the process i went through , iimported the root certificate  to local certificates , marked for client authen anyway , then i generate the certificate signing requests , exported the .pem , open it with notepad , and in the CA webpage , i signed it with a template that gives me both EKU client and server authen , must be there for inline to authenticate , there s another combination that work as well , but i use both EKU enable , IT WILL NO WORK WITHOUT IT , then you go for bind ca , Mark the option in both 2 check box and that s it , go for admnistration - deployment and add the node , if you are using epa tls as authentication method , use windows 2003 template for the certificates .

Hope it helps.

Highlighted

Hi Eduardo,

I able to done on this job. thanks

But few thing need to highlight

01. cisco doc did not mentioned on need to import on identity cert, self-signed cert.

wasting time and effort on reading the documentation. boo on cisco

Highlighted

Is it this procedure?

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp381494

Step 3

Import CA root certificate, make CSR, create certificates on the Administration ISE node.

Content for Community-Ad