Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
0
Helpful
4
Replies

Cisco ISE disconnected node

Go to solution
assers001
Level 1
Level 1

‎12-31-2022 09:31 AM

ISE Nodes in deployment dissconnected after change self signed certificate to CA wildcard certificate .

when i tried to register ise i got below error, can some one help me to solve it please.

Unable to authenticate ISE (xxxise) Please check certificate configuration.
Make sure from 'Primary Admin node', system certificate chain of registering node is present in 'Trusted certificates' and is enabled with 'Trust for authentication within ISE' option selected

1 Deregister and register incomplete due to above error .
2 Sync icon do not working .
3 CA wildcard certificate present in system certificates on all nodes , and in Trusted in primary node .
4 As i understand need to have the Root CA certificate in Trusted certificates. can someone correct me if i am wrong?

 

BR

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-31-2022 09:47 AM - edited ‎12-31-2022 09:47 AM

what is the version of ISE -  is this a Local CA or signed by the Public CA Server?

is the Certs used before from the same CA, or is the Local CA changed and generated a wildcard?

if the local CA changed you need to add root CA to ISE to trust.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-31-2022 09:47 AM - edited ‎12-31-2022 09:47 AM

what is the version of ISE -  is this a Local CA or signed by the Public CA Server?

is the Certs used before from the same CA, or is the Local CA changed and generated a wildcard?

if the local CA changed you need to add root CA to ISE to trust.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
assers001
Level 1
Level 1
In response to balaji.bandi

‎12-31-2022 11:38 PM

HI 

what is the version of ISE  Version: 2.6.0.156 Patch Information: 7

-  is this a Local CA or signed by the Public CA Server?  Public CA Signed by third party .

is the Certs used before from the same CA, Not used by ise before .

or is the Local CA changed and generated a wildcard? We generate wildcard CSR and sent to CA 

if the local CA changed you need to add root CA to ISE to trust. 

 

BR

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to assers001

‎01-01-2023 02:26 AM

i would compare the primary node with other nodes below cisco certificate, also make sure the domain is not changed from previous to now.

balajibandi_0-1672568639220.png

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
assers001
Level 1
Level 1
In response to balaji.bandi

‎01-02-2023 01:51 AM

Hi

The temp solution to restore deployment , i deregister sec the secondary node and make it standalone then generate Self Signed  admin cert and re register the node to deployment .

0 Helpful
Customers Also Viewed These Support Documents