Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2918
Views
0
Helpful
3
Replies

unable to register ISE inline posture node

yong khang NG
Level 5
Level 5

‎10-20-2012 01:55 AM - edited ‎03-10-2019 07:41 PM

Hi all,

i'm stuck at registering inline posture node to primary node.

I doing fresh install both ISE appliance using version 1.1.1, patched all 3 available patach version after install.

AD and DNS were perfectly configure, ping using hostname able to resolve

Everything  set, so both PSN and iPEP generate CSR and ready to let CA server to  signed. But anyway this is the outcome i get Error message "Unable to  authenticate. please check server and CA certificate."

my question:

01.

- What certificate template to be use primary node and inline posture node?

I  having problem the CA certsrv won't show computer template for inline  posture node. can i use web server template and on the extension include  client autthenticaiton andserver authentication on this case?

- What certficate template use for primay node CSR?

02. According to Cisco ISE user guide 1.1.1, it mentioned "Creating certificate trust list in Primary ISE Node"

So  first action is importing Root and CA certificate . my rootCA.cer  import to certification operation \ certifcate store, while CSR  generated then Bind CA certificate.

question, should i check anything like "Tust for client authentication" checkbox or any other option to be check?

How about Inline Posture node, should i export the CA certificate and import to primary node's certificate store?

i am stuck,need guidance , thanks

Noel

1 person had this problem
Labels:
Preview file
33 KB
0 Helpful
3 Replies 3

Eduardo Ferreira Fernandez
Level 1
Level 1

‎11-10-2012 06:12 AM

Hi ,

I will try to explain the process i went through , iimported the root certificate  to local certificates , marked for client authen anyway , then i generate the certificate signing requests , exported the .pem , open it with notepad , and in the CA webpage , i signed it with a template that gives me both EKU client and server authen , must be there for inline to authenticate , there s another combination that work as well , but i use both EKU enable , IT WILL NO WORK WITHOUT IT , then you go for bind ca , Mark the option in both 2 check box and that s it , go for admnistration - deployment and add the node , if you are using epa tls as authentication method , use windows 2003 template for the certificates .

Hope it helps.

0 Helpful

yong khang NG
Level 5
Level 5
In response to Eduardo Ferreira Fernandez

‎11-11-2012 04:23 PM

Hi Eduardo,

I able to done on this job. thanks

But few thing need to highlight

01. cisco doc did not mentioned on need to import on identity cert, self-signed cert.

wasting time and effort on reading the documentation. boo on cisco

0 Helpful

Volodymyr Morskyy
Level 3
Level 3
In response to yong khang NG

‎01-20-2013 05:20 PM

Is it this procedure?

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp381494

Step 3

Import CA root certificate, make CSR, create certificates on the Administration ISE node.

0 Helpful
Customers Also Viewed These Support Documents