Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Registering a second node - ISE 1.2

 Hi guys,

 I am trying to register a second node to my primary ISE node. But, I am getting the following error:

 

 

  I did de import/export certificates in both ISEs. 

They can ping each other by IP and FQDN.

Timezone are the same but I have not NTP active yet.(I thing this can be the problem , although they have the same time ) 

 

I did the import/export in " Local Certificates" tab. I did not use "Certificate Signing Request" .

Anybody know if something has change in ISE 1.2 and now Local Certificates no longer works ?

I also can´t add my ISE to AD, but, this is another fight.

Any hint will be appreciated!

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Good job on finding a

Good job on finding a solution to your problem and taking the time to share it with everyone! (+5 from me) :)

For your first step: I am really not sure why you had to perform that step. The username/password that you created during the initial setup (from CLI) should have worked to register the secondary node.

For your second step: You are correct, the FQDN must match otherwise the cert will fail. 

If your issue is resolved please mark this thread as "answered" :)

Thank you for rating helpful posts!
4 REPLIES

Answering my own question

Answering my own question

 There were two steps to be made:

 -On ISE secondary, we must create a new admin account and add it to the followinf group: System Admin, Super Admin and RBAC Admin. 

 I was trying to use the user admin a have been created in initial setup.

 

-Create a ISE certificate. I was using the default ISE certificate. Actually, this may work in some case but in my case, in my first setup, my FQDN was incorrect, then, the certificate was wronggly generated,

Once I corrected the FQDN and re-generated the certificate, it works!!

 

 

Cisco Employee

Good job on finding a

Good job on finding a solution to your problem and taking the time to share it with everyone! (+5 from me) :)

For your first step: I am really not sure why you had to perform that step. The username/password that you created during the initial setup (from CLI) should have worked to register the secondary node.

For your second step: You are correct, the FQDN must match otherwise the cert will fail. 

If your issue is resolved please mark this thread as "answered" :)

Thank you for rating helpful posts!

  I have found this

 

 I have found this information here :

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1053327

You can alternatively create an administrator account on the node that is to be registered and use those credentials for registering that node. Every ISE administrator account is assigned one or more administrative roles. To register and configure a secondary node, you must have one of the following roles assigned: Super Admin, System Admin, or RBAC Admin. SeeCisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

 Looking at Adminstration>Admin Access>Administrator>Admin User  The default admin created is part of the Superuser admin only. That´s why I created a second user admin an put him on the groups above.

 Keep in mind that this actions is necessary only on second node and will used only during the registration.

 

 

Built the certificate trust

Built the certificate trust between the two server nodes, after you exchange and instal each other's cert.

127
Views
5
Helpful
4
Replies