topic Re: ISE HA and CA deployment without a DNS server in Network Access Control

ISE HA and CA deployment without a DNS server

yfukudom — Tue, 09 Feb 2016 21:29:11 GMT

Could someone let me know any notice to take prior to ISE deployment in HA, where no DNS server is deployed?

ISE is also expected to publish client certificates for EAP-TLS auth.

Re: ISE HA and CA deployment without a DNS server

Aaron Woland — Tue, 09 Feb 2016 23:13:55 GMT

I'm very confused by your query..

What does EAP-TLS auth have to do with DNS?

Please see my blog post on how certificate authentications work here: http://www.networkworld.com/article/2226498/infrastructure-management/simply-put-how-does-certificate-based-authentication-work.html

Is your concern about querying the OCSP service?

Always keep in mind that DNS is a mission-critical application for networking, in general. It will be needed for Active Directory - even simple web browsing.

-Aaron

Re: ISE HA and CA deployment without a DNS server

yfukudom — Tue, 09 Feb 2016 23:30:13 GMT

The partner who is asking deploys closed/separated LAN for hospitals as design, where there has been no DNS/AD server, from cost-reduction perspective.

-Dome

Re: ISE HA and CA deployment without a DNS server

Aaron Woland — Tue, 09 Feb 2016 23:34:26 GMT

So the endpoint has NO DNS resolution. That still won't effect the EAP-TLS authentication. It WILL however, impact all advanced services that use URL redirection - (WebAuth, GUEST, MDM, etc.). Are those type services being deployed?

-Aaron

Re: ISE HA and CA deployment without a DNS server

yfukudom — Tue, 09 Feb 2016 23:43:27 GMT

There are only web/application/DB servers and file servers inside the LAN. All hostnames needed to be resolved by client hosts are written in local hosts file.

(Updates)

A partner is building up this environment for a testing required prior to proposal, but has been facing to an issue when shutting down the primary ISE, expecting the secondary one takes over all roles of primary one. While shutting down the primary, no EAP-TLS authentication is succeeded as the partner claims. Some consideration in ISE configuration seems to be needed and any comments would be greatly appreciated.

Re: ISE HA and CA deployment without a DNS server

Cory Peterson — Wed, 10 Feb 2016 15:13:17 GMT

You can get around the DNS/FQDN requirement in ISE HA by using the ip host configuration command in the ISE CLI. It will require a restart of the ISE services anytime you add host.

In config mode the command is "ip host A.B.C.D ISE-PAN01.example.com"

Re: ISE HA and CA deployment without a DNS server

yfukudom — Fri, 12 Feb 2016 00:43:12 GMT

Thanks for your comment.

I have received a screenshot of the ISE HA status adding to my question, and would like to know another steps to troubleshoot as HA itself seems good.

Re: ISE HA and CA deployment without a DNS server

hslai — Wed, 17 Feb 2016 20:33:15 GMT

Are you able to recreate this issue in your own lab?

No DNS in a deployment is not well supported. DNS can run on a royalty-free Linux or BSD so it would not cause the customer or partner much extra. ISE PoV kit includes a VM to run common network services.

Re: ISE HA and CA deployment without a DNS server

yfukudom — Thu, 18 Feb 2016 08:06:44 GMT

Thanks a lot for comments, folks.

Finally, after installing the certification of secondary ISE server on client hosts, it has worked.