topic Hi, in Network Access Control

Changing domain name in the ISE

muhsi_2015 — Mon, 11 Mar 2019 07:27:33 GMT

Hi,

I have two ise primary and secondary .Both are already joined to test.local . with self signed certificate
Now want to use external CA

In my DNS i have zone for test.com

So here is the step I am going to use

Create an A record for ise01.test.com ,ise02.test.com in the DNS forward zone

Go to deployment deregister the second ise .

goto ise console : type ip domain-name test.com

Do it in both ise

generate csr

Please tell me the above steps are valid

Thanks

Hi,

Gagandeep Singh — Tue, 14 Feb 2017 00:03:50 GMT

Hi,

Recommendation is to separate the nodes and change the hostname accordingly.

Following things need to be take care of :

1) Please note that we would need to re-generate the internal CA certificate chain after the hostname change for the ISE internal CA to continue issuing certificates.

2) Disjoin and rejoin the ISE -AD for new connection.

Changing hostname on ISE:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_011.html#ID686

Regards

Gagan

PS: rate if it helps!!!!

Hi,

muhsi_2015 — Tue, 14 Feb 2017 06:59:14 GMT

Hi,

basically I am not changing the hostname(ise01,ise02) or domain name (test.local).
The purpose is , to avoid the certificate error when guest portal accessing .
So for guest portal I will use certificate from external CA ,and for the EAP from the our local internal ca
Could you provide detailes

Thanks

During Portal communication,

Gagandeep Singh — Tue, 14 Feb 2017 18:36:51 GMT

During Portal communication, PSN sends the portal certificate. In order to avoid certificate warning, you need to trust the CA with intermediate by putting it in the trusted list of client.

Let me know if you need anything specific to that.

Regards

Gagan

PS : rate if it helps!!!!

If you are only changing the

nspasov — Tue, 14 Feb 2017 18:39:30 GMT

If you are only changing the domain in CLI then you don't need to remove the AD integration inside the ISE application. With that said, the steps that you have listed are correct. A couple of things to note here:

- The nodes will restart when you deregister them from the cluster

- The nodes will restart when you register them back in

- The nodes will restart when you change the domain name

- If you are getting a wildcard certificate, you won't be able to use it for EAP based authentications

I hope this helps!

Thank you for rating helpful posts!

Hi,

muhsi_2015 — Wed, 15 Feb 2017 08:44:41 GMT

Hi,

Thank you all ,I have elaborated the steps a bit . Please need your feedback
The purpose is changing the domain name (test.local ) to test.com while ise remain joined in test.local like a member server .
So the guest users won't get certificate warning .

Presently installed self signed certificate
Domain Name :test.local
ise joined in test.local

step 1 :
creating A records and CNAME records in the forward lookup zone test.com

create A records in ise01 192.168.10.100(ise01.test.com)
verify ise01.test.com will resolve to 192.168.10.100

create A records in ise01 192.168.10.101 (ise02.test.com)
verify ise01.test.com will resolve to 192.168.10.101

SAN -DNS CNAME

for SAN create a DNS CNAME record ise.test.com 192.168.10.100
verify ise.test.com will resolve to 192.168.10.100

step 2 :

Removing the node from the cluster (ise02 )
-------------------------------------
Deregister ise02 from the cluster ,The node will restart

step 3 :

Changing Domain name using cli
------------------------------------

once back go to cli type : ip domain-name test.com , the node will restart

Generate csr ise02 . Here I will choose Admin Type ,So I can use for EAP and portal ( guest and admin portal )

go to ISE01
cli type : ip domain-name test.com , the node will restart

Generate csr ise02 . Here I will choose Admin Type ,So I can use for EAP and portal ( guest and admin portal )

step 4 :
Importing certificate to ise and Bind

ise01
go back into the “Certificate Signing Requests” page. Select the CSR saved and click “Bind Certificate”.

ise02
go back into the “Certificate Signing Requests” page. Select the CSR saved and click “Bind Certificate”.

We don't import root CA since ise already has the external CA certificate .

step5 :

Reregister to the cluster .
When reregistering what should be the name ? ise02.test.local or ise02.test.com

Finally am i missing something

Thanks

I think you are good !!! It

Gagandeep Singh — Fri, 17 Feb 2017 02:53:19 GMT

I think you are good !!! It should work for you as per steps mentioned by you.

Regards

Gagan

rate if it helps!!!!

Dear gagan ,

muhsi_2015 — Fri, 17 Feb 2017 07:46:10 GMT

Dear gagan ,

I am stuck at this point ,

step 3 :

Changing Domain name using cli
------------------------------------

once back go to cli type : ip domain-name test.com , the node will restart

Generate csr ise02 . Here I will choose Admin Type ,So I can use for EAP and portal ( guest and admin portal )

I tried to create csr here , but there is no option for csr

Thanks

You can generate certificate

Gagandeep Singh — Sat, 18 Feb 2017 19:52:17 GMT

You can generate certificate for Multi-use. Using Multi-use, you can assign a single certificate for multiple services.

Administration > System > Certificates > Certificate Signing REquests

Once you generate the CSTR, present it to external CA and get server certificate.

Come at same page and bind it by selecting the CSR.

Regards

Gagan

PS: rate if it helps!!!!