Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
6
Replies

Affects of Changing the Domain Name in ISE CLI

cherie13653
Level 1
Level 1

‎11-20-2024 11:58 AM

I have a customer that has 2 ISE nodes 3.3 in a deployment.  The nodes are VMs.  When the nodes were originally configured they used a domain name that they don't really use anymore.  Now they want to change the domain name in the CLI of the ISE nodes to their current domain name.  (i.e. from abc.com to xyz.com). 

They use an CA that is internal to their organization.  The current admin/eap/radius dtls certificate has isenode1.abc.com, isenode2.abc.com in the SANs. 

They've generated a new CSR with SANs containing isenode1.abc.com, isenode2.abc.com, isenode1.xyz.com and isenode2.xyz.com.

After they bind the new cert to the CSR and get it installed on both nodes, do they need to deregister the secondary node from the deployment prior to changing the domain name in the CLI?

Will changing the domain name affect the current AD Join?

Is there anything else that might be affected?

Does anyone have links to documentation for this process?

0 Helpful
6 Replies 6

ahollifield
VIP
VIP

‎11-20-2024 02:01 PM

  1. Yes, since the DNS name will change.  
  2. Yes, hostname changes require AD re-join
  3. Services will restart
  4. Use reset-config
0 Helpful

cherie13653
Level 1
Level 1
In response to ahollifield

‎11-20-2024 02:23 PM

I'm not sure I understand #4 use reset-config.   This is in the cli when you type 'configure application ise'??  Do we do that prior to changing the domain-name of after?  What is that command doing?

0 Helpful

cherie13653
Level 1
Level 1
In response to ahollifield

‎11-21-2024 06:03 AM

Thank you very much

0 Helpful

Jonatan Jonasson
Level 4
Level 4
In response to cherie13653

‎11-20-2024 03:36 PM

historically, changing IP addressing or hostname in ISE was dark magic with the potential of causing issues, and with the introduction of the "reset-config" command in ISE 2.1, it became the recommended approach when changing IP address or hostname.

But now, if you look at the ISE 3.3 admin guide, at the bottom of the "Deployment of ISE" section, you'll see a notice/guideline on changing the hostname using the "hostname" command.
(https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_deployment.html)

You will also see in the same guide that the node must be standalone.

"If a Cisco ISE node is a part of a distributed deployment, you must first remove it from the deployment and ensure that it is a standalone node."

You can find additional information on the "reset-config" command:
https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/cli_guide/b_ise_CLI_Reference_Guide_33/b_ise_CLIReferenceGuide_33_chapter_01.html#wp1520224057

And you should also remove it from AD, and then re-join after changing the hostname.

"Updating the hostname will cause any certificate using the old hostname to become invalid. A new self-signed certificate using the new hostname will be generated now for use with HTTPS/EAP. If CA-signed certificates are used on this node, import the new ones with the correct hostname. In addition, if this node is part of an AD domain, delete any AD memberships before proceeding."

 

---
Please mark helpful answers & solutions
---
0 Helpful

cherie13653
Level 1
Level 1
In response to Jonatan Jonasson

‎11-20-2024 04:08 PM

Thank you so much.  I will check that out.

0 Helpful
Customers Also Viewed These Support Documents