Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ISE Inline Node

I have an ISE Inline Node that I successfully added to my admin ISE node.  After I added the inline node, I wasn't able to configure it until later.  When I went back to edit the configuration, the admin node says it is not able to communicate with the inline node.  Below is the exact error:

Could not establish secure connection with Inline Posture node. Please be sure that certificates are configured correctly for mutual authentication between this node and the Inline Posture node.

The certificates haven't changed since I initially added the node.  Also I am not able to open an SSL session to the trusted IP of the inline node.  I am not sure if this is normal or not.

1 ACCEPTED SOLUTION

Accepted Solutions

ISE Inline Node

That sounds like the same issue i ran into, the primary will allow you to join the inline node, but as soon as you manage it it will complain about the certificate. Can you check the eku for the cert and see if both the server and client authenticaiton is set?

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
5 REPLIES

ISE Inline Node

Hi,

This is normal, when you change a node to an inline node, the webui feature is no longer present and all configuration is done through the primary ISE node and through the cli on the inline node. Did you recently upgrade you deployment? If so, the certificate requirements have changed since 1.0.3...

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Re: ISE Inline Node

This is a brand new install.  Both the admin node and the inline policy node are running 1.1.1 with patch 1.  Like I said, I was able to talk to the inline node to add it to the admin node, but then I got busy doing other things and never ran through the setup, and now it won't communicate.  I have tried restarting the inline node, but that didn't help.  I haven't tried restarting the admin node, because that is also a policy node that is being used by other devices.

I am still able to ssh into the inline node.  Are there any commands that I can run to verify the connectivity between inline node and the admin node?       

ISE Inline Node

That sounds like the same issue i ran into, the primary will allow you to join the inline node, but as soon as you manage it it will complain about the certificate. Can you check the eku for the cert and see if both the server and client authenticaiton is set?

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

ISE Inline Node

It looks like the EKU only lists TLS Web Server Authentication Certificate.  So that is probably my issue.  Did you have to de-register the inline node in order to install a new certificate, or is there a way to handle it through the CLI?

ISE Inline Node

Yes I caught this during the upgrade, so my nodes were already deregistered. Since I was planning on rebuilding my setup I went ahead and reset the configuration (or you can issue the pep switchoutof-pep command - http://www.cisco.com/en/US/docs/security/ise/1.1/cli_ref_guide/ise_cli_app_a.html#wp2150747) in order to rollback the configuration to standalone and make the certificate change.

Just for you reference here is the link that will help you nail down the cert requirements (Step 3) -

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp248769

This should do the trick for you!

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
649
Views
8
Helpful
5
Replies
CreatePlease to create content