Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1113
Views
8
Helpful
5
Replies

ISE Inline Node

Go to solution
conleya
Level 1
Level 1

‎09-04-2012 07:58 AM - edited ‎03-10-2019 07:29 PM

I have an ISE Inline Node that I successfully added to my admin ISE node.  After I added the inline node, I wasn't able to configure it until later.  When I went back to edit the configuration, the admin node says it is not able to communicate with the inline node.  Below is the exact error:

Could not establish secure connection with Inline Posture node. Please be sure that certificates are configured correctly for mutual authentication between this node and the Inline Posture node.

The certificates haven't changed since I initially added the node.  Also I am not able to open an SSL session to the trusted IP of the inline node.  I am not sure if this is normal or not.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to conleya

‎09-04-2012 02:46 PM

That sounds like the same issue i ran into, the primary will allow you to join the inline node, but as soon as you manage it it will complain about the certificate. Can you check the eku for the cert and see if both the server and client authenticaiton is set?

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎09-04-2012 08:22 AM

Hi,

This is normal, when you change a node to an inline node, the webui feature is no longer present and all configuration is done through the primary ISE node and through the cli on the inline node. Did you recently upgrade you deployment? If so, the certificate requirements have changed since 1.0.3...

thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
conleya
Level 1
Level 1
In response to Tarik Admani

‎09-04-2012 12:27 PM

This is a brand new install.  Both the admin node and the inline policy node are running 1.1.1 with patch 1.  Like I said, I was able to talk to the inline node to add it to the admin node, but then I got busy doing other things and never ran through the setup, and now it won't communicate.  I have tried restarting the inline node, but that didn't help.  I haven't tried restarting the admin node, because that is also a policy node that is being used by other devices.

I am still able to ssh into the inline node.  Are there any commands that I can run to verify the connectivity between inline node and the admin node?       

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to conleya

‎09-04-2012 02:46 PM

That sounds like the same issue i ran into, the primary will allow you to join the inline node, but as soon as you manage it it will complain about the certificate. Can you check the eku for the cert and see if both the server and client authenticaiton is set?

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
conleya
Level 1
Level 1
In response to Tarik Admani

‎09-04-2012 02:53 PM

It looks like the EKU only lists TLS Web Server Authentication Certificate.  So that is probably my issue.  Did you have to de-register the inline node in order to install a new certificate, or is there a way to handle it through the CLI?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to conleya

‎09-04-2012 02:58 PM

Yes I caught this during the upgrade, so my nodes were already deregistered. Since I was planning on rebuilding my setup I went ahead and reset the configuration (or you can issue the pep switchoutof-pep command - http://www.cisco.com/en/US/docs/security/ise/1.1/cli_ref_guide/ise_cli_app_a.html#wp2150747) in order to rollback the configuration to standalone and make the certificate change.

Just for you reference here is the link that will help you nail down the cert requirements (Step 3) -

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp248769

This should do the trick for you!

Tarik Admani
*Please rate helpful posts*

Customers Also Viewed These Support Documents