I deploy an ise primary node and about to declare the secondary node and inline posture node to the primary. when doing so I obtain this message "Unable to authenticate ISE secondary_ise_name. Please check server and CA certificate configuration and try again". I export the local cert and CA from the primary and tried to import it to both. Its not work, here is the message "
Certificate does not have required key usage (it is a CA certificate and key usage bits for keyEncipherment or keyAgreement are missing)"
Do you have signed certificates installed on these devices or are these self signed? If you are trying to join an inline node the inline node will need a cert that has the Key Usage for client authentication. Here is the documentation that may be useful to you.
Tarik's link is helpful. This will also explain your three options for estabilishing certificate trust between the ISE nodes, which MUST happen before you register another node to the primary node.
If you are using the default built-in self-signed certs, just export your cert from your ISE secondary and import it into your ISE primary. After that, try registering your secondary ISE again. You should find that you do not get this error.
Happened to me today and after I imported the secondary's cert into the primary, the issue resolved.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :