ISE deployment

Answered Question
Jul 24th, 2012

Hi guys.

Im trying to setup two cisco ise appliances. Primary and Seconadary. Everything is fine. I import the self signed cert from the secodary to primary and life is good.

But... I though if i make the secondary node PRIMARY only for MONITORING it would be better for cpu and all that. When i do that and go to DAsh Board i get an error saying untrusted cuz secondary node has a self signed cert. it wont let me see the dash board. Anyone had this problem?!?

I do not have a CA cert. maybe if i use verisign or godaddy certs this would work. We have those spare and they are cheap and those certs would help for clients not to see the continue anyway stuff and so on

Sent from Cisco Technical Support iPhone App

I have this problem too.
0 votes
Correct Answer by Tarik Admani about 1 year 9 months ago

That is the way I usually deploy ISE for my customers, it helps like you mentioned balance the processing and cpu cycles between the two nodes.

Tarik Admani
*Please rate helpful posts*

Correct Answer by Tarik Admani about 1 year 9 months ago

The versign cert is a good idea to go with. Just remember that ISE does not support wildcard certificates so you will have to generate a CSR from ISE and will need it signed.

Here is a sample of how to create a CSR - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292

thanks,

Tarik Admani
*Please rate helpful posts*

Correct Answer by Tarik Admani about 1 year 9 months ago

Hi,

No need to worry it is because the reports that are displayed are from the secondary node so the browser rejects the content. As a workaround log back into the secondary node using the fqdn or the CN for the cert name and trust the self signed cert. Once you log back into the primary you will see the content displayed again.

thanks,

Tarik Admani
*Please rate helpful posts*

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
Tarik Admani Tue, 07/24/2012 - 20:41

Hi,

No need to worry it is because the reports that are displayed are from the secondary node so the browser rejects the content. As a workaround log back into the secondary node using the fqdn or the CN for the cert name and trust the self signed cert. Once you log back into the primary you will see the content displayed again.

thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti Tue, 07/24/2012 - 20:43

Hi. Thnx. Im gna vpn in now. U still think

Its a good idea to have secondary node to monitoring?

What abt verisign cert?

Sent from Cisco Technical Support iPhone App

edondurguti Tue, 07/24/2012 - 20:51

You sir, You are the man 100x thnx.

Thoughts on secondary ise as monitor primary?

Correct Answer
Tarik Admani Tue, 07/24/2012 - 20:57

That is the way I usually deploy ISE for my customers, it helps like you mentioned balance the processing and cpu cycles between the two nodes.

Tarik Admani
*Please rate helpful posts*

Actions

Login or Register to take actions

This Discussion

Posted July 24, 2012 at 7:43 PM
Stats:
Replies:6 Avg. Rating:5
Views:613 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard