Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
5
Helpful
4
Replies

Registering a second node - ISE 1.2

Go to solution
Flavio Miranda
VIP
VIP

‎07-24-2014 02:56 PM - edited ‎03-10-2019 09:53 PM

 Hi guys,

 I am trying to register a second node to my primary ISE node. But, I am getting the following error:

 

 

  I did de import/export certificates in both ISEs. 

They can ping each other by IP and FQDN.

Timezone are the same but I have not NTP active yet.(I thing this can be the problem , although they have the same time ) 

 

I did the import/export in " Local Certificates" tab. I did not use "Certificate Signing Request" .

Anybody know if something has change in ISE 1.2 and now Local Certificates no longer works ?

I also can´t add my ISE to AD, but, this is another fight.

Any hint will be appreciated!

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Flavio Miranda

‎07-24-2014 10:57 PM

Good job on finding a solution to your problem and taking the time to share it with everyone! (+5 from me) :)

For your first step: I am really not sure why you had to perform that step. The username/password that you created during the initial setup (from CLI) should have worked to register the secondary node.

For your second step: You are correct, the FQDN must match otherwise the cert will fail. 

If your issue is resolved please mark this thread as "answered" :)

View solution in original post

4 Replies 4

Go to solution
Flavio Miranda
VIP
VIP

‎07-24-2014 10:32 PM

Answering my own question

 There were two steps to be made:

 -On ISE secondary, we must create a new admin account and add it to the followinf group: System Admin, Super Admin and RBAC Admin. 

 I was trying to use the user admin a have been created in initial setup.

 

-Create a ISE certificate. I was using the default ISE certificate. Actually, this may work in some case but in my case, in my first setup, my FQDN was incorrect, then, the certificate was wronggly generated,

Once I corrected the FQDN and re-generated the certificate, it works!!

 

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Flavio Miranda

‎07-24-2014 10:57 PM

Good job on finding a solution to your problem and taking the time to share it with everyone! (+5 from me) :)

For your first step: I am really not sure why you had to perform that step. The username/password that you created during the initial setup (from CLI) should have worked to register the secondary node.

For your second step: You are correct, the FQDN must match otherwise the cert will fail. 

If your issue is resolved please mark this thread as "answered" :)

Go to solution
Flavio Miranda
VIP
VIP
In response to nspasov

‎07-25-2014 06:27 AM

 

 I have found this information here :

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1053327

You can alternatively create an administrator account on the node that is to be registered and use those credentials for registering that node. Every ISE administrator account is assigned one or more administrative roles. To register and configure a secondary node, you must have one of the following roles assigned: Super Admin, System Admin, or RBAC Admin. SeeCisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

 Looking at Adminstration>Admin Access>Administrator>Admin User  The default admin created is part of the Superuser admin only. That´s why I created a second user admin an put him on the groups above.

 Keep in mind that this actions is necessary only on second node and will used only during the registration.

 

 

0 Helpful

Go to solution
Saurav Lodh
Level 7
Level 7

‎07-25-2014 07:07 AM

Built the certificate trust between the two server nodes, after you exchange and instal each other's cert.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents