BugZero | Cisco BugID CSCvz63405 - ISE client pxgrid certificate is not delivered to ...

Cisco - Defect ID: CSCvz63405

ISE client pxgrid certificate is not delivered to DNAC

Cisco - Defect ID: CSCvz63405

ISE client pxgrid certificate is not delivered to DNAC

Last updated on 1/4/2024

Overall: 3.63.6

Severity: 3.73.7

Lifecycle: 9.19.1

Popularity: 66.0

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 3.63.6

Severity: 3.73.7

Lifecycle: 9.19.1

Popularity: 66.0

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

ISE to DNAC integration fails with the following error in DNAC - Failed to connect to ISE node - invalid certificate received from ISE. Note: This might be due to Certificate Authority being disabled on ISE. This issue was initially discovered with DNAC 2.2.2.4 or higher. Full list of symptoms: 1. Error in DNAC UI - Failed to connect to ISE node - invalid certificate received from ISE. Note: This might be due to Certificate Authority being disabled on ISE 2. DNAC logs are showing timeout on pxgrid client certificate request 3. ISE Internal CA always generates certificates and they appear in Administration > System > Certificates > Certificate Authority > Issued certificates 4. When DNAC requests pxgrid client certificate the exception with the following lines is observed in ise-psc log: Caused by: java.lang.NullPointerException at java.util.Hashtable.put(Hashtable.java:460) at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi$IgnoresCaseHashtable.put(Unknown Source) at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineSetCertificateEntry(Unknown Source) at java.security.KeyStore.setCertificateEntry(KeyStore.java:1201) at com.cisco.cpm.infrastructure.certreqmgmt.util.CertReqUtil.convertToPkcs12Chain(CertReqUtil.java:795) at com.cisco.cpm.infrastructure.certreqmgmt.util.CertReqUtil.createZip(CertReqUtil.java:508) 5. Pxgrid client certificate generation also fails in ISE UI with error - Certificate generation failed with exception: null After analysis performed by engineering, it appeared that the customer used a CA issued certificate for the EAP role on PPAN. This created a situation when the chains which need to be added into the packaged certificates zip (CA chain and EAP chain) were having the same certificates. ISE is unable to handle such a scenario and due to this zip with certificates cannot be created.

Conditions

ISE integration with DNAC 2.2.2.4 when client pxgrid certificate cannot also be created over ISE UI with error - Certificate generation failed with exception: null Primary PAN configured to use ISE internal CA-signed certificate or external CA signed certificate for the EAP role

Workaround

Move EAP role on the PPAN to CA-signed or self-signed certificate

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvz63405

ISE client pxgrid certificate is not delivered to DNAC

Cisco - Defect ID: CSCvz63405

ISE client pxgrid certificate is not delivered to DNAC

Last updated on 1/4/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?