Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ISE deployment

Hi guys.

Im trying to setup two cisco ise appliances. Primary and Seconadary. Everything is fine. I import the self signed cert from the secodary to primary and life is good.

But... I though if i make the secondary node PRIMARY only for MONITORING it would be better for cpu and all that. When i do that and go to DAsh Board i get an error saying untrusted cuz secondary node has a self signed cert. it wont let me see the dash board. Anyone had this problem?!?

I do not have a CA cert. maybe if i use verisign or godaddy certs this would work. We have those spare and they are cheap and those certs would help for clients not to see the continue anyway stuff and so on

Sent from Cisco Technical Support iPhone App

3 ACCEPTED SOLUTIONS

Accepted Solutions

ISE deployment

Hi,

No need to worry it is because the reports that are displayed are from the secondary node so the browser rejects the content. As a workaround log back into the secondary node using the fqdn or the CN for the cert name and trust the self signed cert. Once you log back into the primary you will see the content displayed again.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

ISE deployment

The versign cert is a good idea to go with. Just remember that ISE does not support wildcard certificates so you will have to generate a CSR from ISE and will need it signed.

Here is a sample of how to create a CSR - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

ISE deployment

That is the way I usually deploy ISE for my customers, it helps like you mentioned balance the processing and cpu cycles between the two nodes.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
6 REPLIES

ISE deployment

Hi,

No need to worry it is because the reports that are displayed are from the secondary node so the browser rejects the content. As a workaround log back into the secondary node using the fqdn or the CN for the cert name and trust the self signed cert. Once you log back into the primary you will see the content displayed again.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: ISE deployment

Hi. Thnx. Im gna vpn in now. U still think

Its a good idea to have secondary node to monitoring?

What abt verisign cert?

Sent from Cisco Technical Support iPhone App

ISE deployment

The versign cert is a good idea to go with. Just remember that ISE does not support wildcard certificates so you will have to generate a CSR from ISE and will need it signed.

Here is a sample of how to create a CSR - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

ISE deployment

You sir, You are the man 100x thnx.

Thoughts on secondary ise as monitor primary?

ISE deployment

That is the way I usually deploy ISE for my customers, it helps like you mentioned balance the processing and cpu cycles between the two nodes.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

ISE deployment

Alright thanks dude I really appreciate it

Take care.

816
Views
0
Helpful
6
Replies
CreatePlease to create content