topic That is good to hear Joe! Did in Network Access Control

Cisco ISE change Domain Name

joeharb — Mon, 11 Mar 2019 05:18:30 GMT

Our ISE deployment was setup with our internal domain name of csi.corp, when presenting the guest CWA this is the domain name the is presented to

the guest. We would like for this to be out public domain and a valid certificate. From what I have gathered the web portal https certificate must contain the FQDN of the ISE node, therefore I would need to change the domain name on the server(s). I have found posts that some have changed the domain name after deployment without any adverse results, is this possible? We are currently integrated with our corp AD and able to utilize this the EAP authentications. We have 2 nodes in our deployment, is it possible to change the domain name to our public domain without a rebuild?

Thanks,

Joe

Hi Joe-Yes, what you are

nspasov — Mon, 29 Dec 2014 20:07:31 GMT

Hi Joe-

Yes, what you are describing here is possible and I have done it in the past. You can have ISE joined (in the GUI) to an internal domain (company.local) while the hostname and domain configuration in CLI be set to the public domain (company.com). ISE will require a restart so plan on doing this during a maintenance window. You will also have to do some tweaking with your DNS in order to allow hosts on the "inside" of your network to be able to resolve "ise.company.com" to a private IP.

I hope this helps!

Thank you for rating helpful posts!

Thanks for the reply, Since

joeharb — Mon, 29 Dec 2014 20:10:46 GMT

Thanks for the reply,

Since there are 2 servers in the deloyment, should I simply start with the first node, no out the domain name as it is now and replace it with the public, then restart the appliance, do the same secondary?

Thanks,

Joe

Yes, anything that can

nspasov — Mon, 29 Dec 2014 20:21:42 GMT

Yes, anything that can minimize downtime. Btw, I have not done this during production time so be aware that changing the domain and hostname will probably invalidate the currently installed certificate, thus it will break the inter-cluster communication between the two nodes. Again, that should not be a big deal but just something to keep in mind.

Thank you for rating helpful posts!

TAC has come back stating

joeharb — Fri, 02 Jan 2015 14:00:25 GMT

TAC has come back stating that a domain name change isn't needed if we request the certificate the following way:

Here is a example, in the wild card certificate please ensure you have SAN field set to:
DNS name: isenode1.local.corp
DNS name: isenode2.local.corp
DNS name: *.public.com

I wouldn't expect that a Registrar would provide this certificate, am I incorrect?

Thanks,

Joe

Hmm, unless something has

nspasov — Mon, 05 Jan 2015 08:18:21 GMT

Hmm, unless something has changed I don't believe this would work because:

- Even though the CN doesn't have to be an exact match of the FQDN, I believe that the domain suffix in the CN still must match the domain suffix in the FQDN. So you can have many different values and domains in the SAN fields but the domain in the CN field must match the domain specified in the FQDN. I don't have any certs to test this with now but I am pretty sure that even though the CSR generation would work, the process will fail when trying to import the cert.

- Is ".local.corp" a public domain? It doesn't sound like it but perhaps it is 🙂 However, if it is not, then many public CAs won't issue you a public certificate for a private domain. You can definitely give it a try and see what they say 🙂

Let me know what you find out!

Thank you for rating helpful posts!

To update, I was able to

joeharb — Fri, 09 Jan 2015 22:14:03 GMT

To update, I was able to change the domain name on both servers without issue.

Thanks,

Joe

That is good to hear Joe! Did

nspasov — Sat, 10 Jan 2015 23:56:01 GMT

That is good to hear Joe! Did you complete the hostname changes without having to perform any additional tasks or or..?

Thanks!

Hi,

wyfy-2015 — Thu, 07 Apr 2016 04:02:52 GMT

Hi,

Can you tell how did you do that ?

Thanks

I logged into the cli via ssh

joeharb — Thu, 07 Apr 2016 13:30:37 GMT

I logged into the cli via ssh and did a no ip domain-name olddomain.com

then

ip domain-name newdomain.com

restarted appliance completely.

Hope this helps.

Joe

Hi

wyfy-2015 — Thu, 07 Apr 2016 16:07:11 GMT

And what about the eap and admin certificate , you are using the certificate from your internal CA . I believe that for that you are using internal CA and for portal you are using external CA . It would be a great help if you brief about that

Thanks

You are correct, we are using

joeharb — Thu, 07 Apr 2016 16:10:09 GMT

You are correct, we are using a certificate signed by our internal CA for EAP connections and one from an external CA for admin and portal access.

Thanks,

Joe

Thank you Joe and Special

wyfy-2015 — Thu, 07 Apr 2016 19:22:58 GMT

Thank you Joe and Special thanks to Neno .Without Neno ISE discussion is not

complete 🙂

Wow, this is an old thread

nspasov — Fri, 08 Apr 2016 06:19:21 GMT

Wow, this is an old thread but I am glad that it is still providing help to others 🙂

wyfy-2015 - Thank you for the compliment!

joeharb - Thank you for taking the time to come back and post info about this (+5 from me as well).

Now, if this issue was resolved, we should mark the thread as "answered" 😉

Thank you for rating helpful posts!

Re: You are correct, we are using

ryan14 — Fri, 14 May 2021 15:51:43 GMT

I have a similar issue. Just to clarify, what did you need to change to migrate from using an internal cert for admin and portal? Just change the domain name on each ISE node, reboot and apply the public certificate? Are you using a wild card certificate?