Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1303
Views
0
Helpful
6
Replies

ISE deployment

Go to solution
edondurguti
Level 4
Level 4

‎07-24-2012 07:43 PM - edited ‎03-10-2019 07:20 PM

Hi guys.

Im trying to setup two cisco ise appliances. Primary and Seconadary. Everything is fine. I import the self signed cert from the secodary to primary and life is good.

But... I though if i make the secondary node PRIMARY only for MONITORING it would be better for cpu and all that. When i do that and go to DAsh Board i get an error saying untrusted cuz secondary node has a self signed cert. it wont let me see the dash board. Anyone had this problem?!?

I do not have a CA cert. maybe if i use verisign or godaddy certs this would work. We have those spare and they are cheap and those certs would help for clients not to see the continue anyway stuff and so on

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-24-2012 08:41 PM

Hi,

No need to worry it is because the reports that are displayed are from the secondary node so the browser rejects the content. As a workaround log back into the secondary node using the fqdn or the CN for the cert name and trust the self signed cert. Once you log back into the primary you will see the content displayed again.

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎07-24-2012 08:49 PM

The versign cert is a good idea to go with. Just remember that ISE does not support wildcard certificates so you will have to generate a CSR from ISE and will need it signed.

Here is a sample of how to create a CSR - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎07-24-2012 08:57 PM

That is the way I usually deploy ISE for my customers, it helps like you mentioned balance the processing and cpu cycles between the two nodes.

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-24-2012 08:41 PM

Hi,

No need to worry it is because the reports that are displayed are from the secondary node so the browser rejects the content. As a workaround log back into the secondary node using the fqdn or the CN for the cert name and trust the self signed cert. Once you log back into the primary you will see the content displayed again.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
edondurguti
Level 4
Level 4

‎07-24-2012 08:43 PM

Hi. Thnx. Im gna vpn in now. U still think

Its a good idea to have secondary node to monitoring?

What abt verisign cert?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎07-24-2012 08:49 PM

The versign cert is a good idea to go with. Just remember that ISE does not support wildcard certificates so you will have to generate a CSR from ISE and will need it signed.

Here is a sample of how to create a CSR - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
edondurguti
Level 4
Level 4
In response to Tarik Admani

‎07-24-2012 08:51 PM

You sir, You are the man 100x thnx.

Thoughts on secondary ise as monitor primary?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎07-24-2012 08:57 PM

That is the way I usually deploy ISE for my customers, it helps like you mentioned balance the processing and cpu cycles between the two nodes.

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
edondurguti
Level 4
Level 4
In response to Tarik Admani

‎07-24-2012 08:58 PM

Alright thanks dude I really appreciate it

Take care.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents