Author Archives: Abdul Pallarès

ISE 3.1: Can’t import a wildcard certificate into secondary management node

In a simple split deployment with 2 nodes with PAN, MnT and PSN roles enabled per node. Importing a wildcard certificate fails for ISE portals, the first node imports it good, but the cert is not imported on the second one. And when trying to import it again it fails showing the error message:

“You are attempting to import/generate/update a certificate which exactly matches with existing certificate in the system having same subject and same public key. Please retry the operation with certificate having either a different subject or a different public key than existing certificate.”

To solve this problem try with this steps:

  1. Created self-signed certificate and move the portal, eap and any enabled usage on the wildcard certificate to it.
  2. The impacted wildcard affected certificate became not in use.
  3. Delete the impacted wildcard certificate” not in use” and import it again without choosing any usage.
  4. Now the certificate should be imported to all nodes.
  5. Go to the newly imported wildcard certificate, edit it and assigning the portal and any other dessired usage to it successfully.
  6. Remove all not in use certificates.

Hope that this helps others to solve this issue.

802.1x autentication by certificate error in ISE

A customer coplains about users authentication error by 802.1x with certificate with the following error  in ISE live logs:

OpenSSLErrorMessage SSL alert: code=0x22E=558 ; source=local ; type=fatal ; message=”certificate unknown.ssl/statem/statem_srvr.c:3800 error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed [error=337100934 lib=20 func=380 reason=134]”

There is not much documentation about this error out there, this free radius mail thread points to certificate EKU as the problem. Since machine authentication by certificate was working properly on the customer, after do a certificate comparation and after some tests with the EKU properties, we solve the problem just removing the critical propertie from the EKU key.

Once configured as non critical the EKU propertie, the authentication for users by certifacate works properly, this behavior were found in IPHONES phone and AVAYA softphone, and probably to other devices and software which use OPENSSL libraries fore certificate validation.

Check antimalware signature update process by cli on Checkpoint Endpoint Server

If antimalware signature updates doesn’t works, it’s possible to see more details running it by cli. To do that open 2 ssh sessions, on one run:

cd $UEPMDIR/engine/conf/updates/bin/kav8
./keepup2date8.sh –download –simplelic –xmlfile confZLToProduction.xml –journal update.log

And on the other one run a tail on the log file:

tailf update.log

Of course it’s possible to run it all in a single ssh session and take a look to the log once update process is finished

Checkpoint: Remote access VPN users recive IP addresses which are allocated in ipassignment.conf

After adding IP addresses to $FWDIR/conf/ipassignment.conf you can observe in smartlog that the IP addresses are beign assigned to other users. If you face with this problem, you have to use different networks for Officemode and ipassignment.conf. You can do it by subnetting the Officemode address pool or by using different networks.

Once you have different networks configured, if Antispoofing is enabled for Internet interface, you must to add the network used in $FWDIR/conf/ipassignment.conf to the exceptions for Antipoofing for that interface.