topic Re: Affects of Changing the Domain Name in ISE CLI in Network Access Control

Affects of Changing the Domain Name in ISE CLI

cherie13653 — Wed, 20 Nov 2024 19:58:11 GMT

I have a customer that has 2 ISE nodes 3.3 in a deployment. The nodes are VMs. When the nodes were originally configured they used a domain name that they don't really use anymore. Now they want to change the domain name in the CLI of the ISE nodes to their current domain name. (i.e. from abc.com to xyz.com).

They use an CA that is internal to their organization. The current admin/eap/radius dtls certificate has isenode1.abc.com, isenode2.abc.com in the SANs.

They've generated a new CSR with SANs containing isenode1.abc.com, isenode2.abc.com, isenode1.xyz.com and isenode2.xyz.com.

After they bind the new cert to the CSR and get it installed on both nodes, do they need to deregister the secondary node from the deployment prior to changing the domain name in the CLI?

Will changing the domain name affect the current AD Join?

Is there anything else that might be affected?

Does anyone have links to documentation for this process?

Re: Affects of Changing the Domain Name in ISE CLI

ahollifield — Wed, 20 Nov 2024 22:01:29 GMT

Yes, since the DNS name will change.
Yes, hostname changes require AD re-join
Services will restart
Use reset-config

Re: Affects of Changing the Domain Name in ISE CLI

cherie13653 — Wed, 20 Nov 2024 22:23:54 GMT

I'm not sure I understand #4 use reset-config. This is in the cli when you type 'configure application ise'?? Do we do that prior to changing the domain-name of after? What is that command doing?

Re: Affects of Changing the Domain Name in ISE CLI

ahollifield — Wed, 20 Nov 2024 22:58:53 GMT

https://community.cisco.com/t5/security-blogs/reset-ise-host-os-config-with-a-single-cli/ba-p/3660180

Re: Affects of Changing the Domain Name in ISE CLI

Jonatan Jonasson — Wed, 20 Nov 2024 23:36:12 GMT

historically, changing IP addressing or hostname in ISE was dark magic with the potential of causing issues, and with the introduction of the "reset-config" command in ISE 2.1, it became the recommended approach when changing IP address or hostname.

But now, if you look at the ISE 3.3 admin guide, at the bottom of the "Deployment of ISE" section, you'll see a notice/guideline on changing the hostname using the "hostname" command.
(https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_deployment.html)

You will also see in the same guide that the node must be standalone.

"If a Cisco ISE node is a part of a distributed deployment, you must first remove it from the deployment and ensure that it is a standalone node."

You can find additional information on the "reset-config" command:
https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/cli_guide/b_ise_CLI_Reference_Guide_33/b_ise_CLIReferenceGuide_33_chapter_01.html#wp1520224057

And you should also remove it from AD, and then re-join after changing the hostname.

"Updating the hostname will cause any certificate using the old hostname to become invalid. A new self-signed certificate using the new hostname will be generated now for use with HTTPS/EAP. If CA-signed certificates are used on this node, import the new ones with the correct hostname. In addition, if this node is part of an AD domain, delete any AD memberships before proceeding."

Re: Affects of Changing the Domain Name in ISE CLI

cherie13653 — Thu, 21 Nov 2024 00:08:30 GMT

Thank you so much. I will check that out.

Re: Affects of Changing the Domain Name in ISE CLI

cherie13653 — Thu, 21 Nov 2024 14:03:03 GMT

Thank you very much