cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1567
Views
2
Helpful
21
Replies
Cisco Employee

Re: Guest portal redundancy

That is a bug I opened while working on a field engineer's setup. The workaround is to avoid such partial match; e.g. ISE hostname is demoISE-1 while the alias is demoISE.

Beginner

Re: Guest portal redundancy

So change ISE host name so it won't match the alias?!

Beginner

Re: Guest portal redundancy

Because the alias is tied to my SSL cert that was purchased. looking at the caveats for changing the hostname in a 2 nodes setup.

Cisco Employee

Re: Guest portal redundancy

ISE allows updating hostname in standalone mode only and such operations will restart ISE services so you would need a maintenance window.

Cisco TAC may help updating the hosts entries via root.

Highlighted
Beginner

Re: Guest portal redundancy

I want to go down the path of using the cli command "ip host" without having to go through TAC to change the host names for my 2 ISE servers. tonight I will attempt the following but I want to see if you think my steps would work. can you let me know?!

Break the cluster

Make each ise a standalone

Change hostname cli

Make sure dns has the new hostname mapping

Cluster nodes back together:

- import second ise cert to the main node

- change the primary node from standalone to primary

- register the second ise node under the main ise

verify cluster is working.

use the ip host cli command

Cisco Employee

Re: Guest portal redundancy

In case interface bonding in use, please take a look at CSCve57664. Besides what you wrote, also note on impact on Active Directory, and internal CA. Below are what I would suggest:

Backup (CFG, system certificates and private keys, internal CA export)

Perform a basic set of testing before any changes.

De-register the 2nd node and make the primary to standalone

(On the 1st ISE node (primary previously))

If using AD, leave AD

Update DNS record(s)

CLI configure "hostname" and "ip host" commands

If using an internal PKI for ISE system certificate, then generate CSR and get a new cert from the PKI

If using internal CA, re-gen internal CA certificates

If using AD, re-join AD

Perform some testing to verify all working ok on this 1st ISE node.

(On the 2nd ISE node)

If using AD, leave AD

Update DNS record(s)

CLI configure "hostname" and "ip host" commands

If using an internal PKI for ISE system certificate, generate CSR and get a new cert from the PKI

If using AD, re-join AD

Perform some tests

If the 2nd ISE node using ISE self-signed cert for ISE system certificate, then export it and import it to the 1st ISE node.

Make the 1st ISE node primary and re-register the 2nd ISE node to it.

Perform more tests.

Contributor

Re: Guest portal redundancy

I'll test it. This should work. What ISE version?

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.