07-24-2014 02:56 PM - edited 03-10-2019 09:53 PM
Hi guys,
I am trying to register a second node to my primary ISE node. But, I am getting the following error:
Unable to authenticate ISE xxxx.. Please check server and CA certificate configuration and try again. |
I did de import/export certificates in both ISEs.
They can ping each other by IP and FQDN.
Timezone are the same but I have not NTP active yet.(I thing this can be the problem , although they have the same time )
I did the import/export in " Local Certificates" tab. I did not use "Certificate Signing Request" .
Anybody know if something has change in ISE 1.2 and now Local Certificates no longer works ?
I also can´t add my ISE to AD, but, this is another fight.
Any hint will be appreciated!
Solved! Go to Solution.
07-24-2014 10:57 PM
Good job on finding a solution to your problem and taking the time to share it with everyone! (+5 from me) :)
For your first step: I am really not sure why you had to perform that step. The username/password that you created during the initial setup (from CLI) should have worked to register the secondary node.
For your second step: You are correct, the FQDN must match otherwise the cert will fail.
If your issue is resolved please mark this thread as "answered" :)
07-24-2014 10:32 PM
Answering my own question
There were two steps to be made:
-On ISE secondary, we must create a new admin account and add it to the followinf group: System Admin, Super Admin and RBAC Admin.
I was trying to use the user admin a have been created in initial setup.
-Create a ISE certificate. I was using the default ISE certificate. Actually, this may work in some case but in my case, in my first setup, my FQDN was incorrect, then, the certificate was wronggly generated,
Once I corrected the FQDN and re-generated the certificate, it works!!
07-24-2014 10:57 PM
Good job on finding a solution to your problem and taking the time to share it with everyone! (+5 from me) :)
For your first step: I am really not sure why you had to perform that step. The username/password that you created during the initial setup (from CLI) should have worked to register the secondary node.
For your second step: You are correct, the FQDN must match otherwise the cert will fail.
If your issue is resolved please mark this thread as "answered" :)
07-25-2014 06:27 AM
I have found this information here :
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1053327
•You can alternatively create an administrator account on the node that is to be registered and use those credentials for registering that node. Every ISE administrator account is assigned one or more administrative roles. To register and configure a secondary node, you must have one of the following roles assigned: Super Admin, System Admin, or RBAC Admin. SeeCisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
Looking at Adminstration>Admin Access>Administrator>Admin User The default admin created is part of the Superuser admin only. That´s why I created a second user admin an put him on the groups above.
Keep in mind that this actions is necessary only on second node and will used only during the registration.
07-25-2014 07:07 AM
Built the certificate trust between the two server nodes, after you exchange and instal each other's cert.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: