08-29-2017 03:58 PM
Hi,
what is the best way to make sure if ISE01 fails guest traffic for the portal will go to ISE02 automatically and without a load balancer?
Thanks,
Solved! Go to Solution.
08-30-2017 10:05 AM
That is a bug I opened while working on a field engineer's setup. The workaround is to avoid such partial match; e.g. ISE hostname is demoISE-1 while the alias is demoISE.
08-30-2017 10:07 AM
So change ISE host name so it won't match the alias?!
08-30-2017 10:14 AM
Because the alias is tied to my SSL cert that was purchased. looking at the caveats for changing the hostname in a 2 nodes setup.
08-30-2017 10:19 AM
ISE allows updating hostname in standalone mode only and such operations will restart ISE services so you would need a maintenance window.
Cisco TAC may help updating the hosts entries via root.
08-30-2017 06:58 PM
I want to go down the path of using the cli command "ip host" without having to go through TAC to change the host names for my 2 ISE servers. tonight I will attempt the following but I want to see if you think my steps would work. can you let me know?!
Break the cluster
Make each ise a standalone
Change hostname cli
Make sure dns has the new hostname mapping
Cluster nodes back together:
- import second ise cert to the main node
- change the primary node from standalone to primary
- register the second ise node under the main ise
verify cluster is working.
use the ip host cli command
08-30-2017 10:35 PM
In case interface bonding in use, please take a look at CSCve57664. Besides what you wrote, also note on impact on Active Directory, and internal CA. Below are what I would suggest:
Backup (CFG, system certificates and private keys, internal CA export)
Perform a basic set of testing before any changes.
De-register the 2nd node and make the primary to standalone
(On the 1st ISE node (primary previously))
If using AD, leave AD
Update DNS record(s)
CLI configure "hostname" and "ip host" commands
If using an internal PKI for ISE system certificate, then generate CSR and get a new cert from the PKI
If using internal CA, re-gen internal CA certificates
If using AD, re-join AD
Perform some testing to verify all working ok on this 1st ISE node.
(On the 2nd ISE node)
If using AD, leave AD
Update DNS record(s)
CLI configure "hostname" and "ip host" commands
If using an internal PKI for ISE system certificate, generate CSR and get a new cert from the PKI
If using AD, re-join AD
Perform some tests
If the 2nd ISE node using ISE self-signed cert for ISE system certificate, then export it and import it to the 1st ISE node.
Make the 1st ISE node primary and re-register the 2nd ISE node to it.
Perform more tests.
08-29-2017 08:00 PM
I'll test it. This should work. What ISE version?
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html
Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide