topic ISE DNS CNAME Requirement in Network Access Control

ISE DNS CNAME Requirement

dvan — Wed, 10 Aug 2016 06:24:25 GMT

Hi,

In the ISE 2.0 Admin guide, there is a statement about a DNS CNAME record requirement for each ISE node:

Extract:

You need to add Canonical Name (CNAME) record of the ISE hostname to the DNS. Ensure that you create CNAME RR along with the A record for each Cisco ISE node. If CNAME record is not created, it might result in the alarm ‘DNS Resolution failed for CNAME <hostname of the node>’.

Other than an alarm being raised, what other functionality is impacted by the absence of a CNAME record (assume A & PTR records do exist)?

I have come across an example where a DNS server doesn't support the same value in the A and CNAME fields...

Thanks,

Denis

Re: ISE DNS CNAME Requirement

kthiruve — Wed, 10 Aug 2016 20:35:35 GMT

Hi,

Please see the usage of CNAME that is explained nicely here.

https://www.networking4all.com/en/support/domain+names/dns/cname-records/

CNAME is an alias name used in certain situations, for eg: you use wild cards in your certificates that ISE supports (or) you have to renew certificates and change the names constantly. It is for easier DNS management.

The key is that DNS resolution between ISE nodes and between endpoints and ISE nodes need to work consistently. This is a tool to make it work.

Thanks

Krishnan

Re: ISE DNS CNAME Requirement

hslai — Wed, 10 Aug 2016 20:47:33 GMT

That paragraph is a bit misleading. If an A record exists for an ISE node, there is no need for a CNAME record created for it, unless setting up an FQDN for ISE sponsor portal, etc.

As a matter of facts, I would consider it a misconfiguration if both A and CNAME point to the same FQDN.

I logged a doc bug -- CSCva87189

Re: ISE DNS CNAME Requirement

dvan — Thu, 11 Aug 2016 05:34:38 GMT

Thanks for the clarification Hsing-Tsu