02-13-2017 07:27 AM - edited 03-11-2019 12:27 AM
Hi,
I have two ise primary and secondary .Both are already joined to test.local . with self signed certificate
Now want to use external CA
In my DNS i have zone for test.com
So here is the step I am going to use
Create an A record for ise01.test.com ,ise02.test.com in the DNS forward zone
Go to deployment deregister the second ise .
goto ise console : type ip domain-name test.com
Do it in both ise
generate csr
Please tell me the above steps are valid
Thanks
02-13-2017 04:03 PM
Hi,
Recommendation is to separate the nodes and change the hostname accordingly.
Following things need to be take care of :
1) Please note that we would need to re-generate the internal CA certificate chain after the hostname change for the ISE internal CA to continue issuing certificates.
2) Disjoin and rejoin the ISE -AD for new connection.
Changing hostname on ISE:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_011.html#ID686
Regards
Gagan
PS: rate if it helps!!!!
02-13-2017 10:59 PM
Hi,
basically I am not changing the hostname(ise01,ise02) or domain name (test.local).
The purpose is , to avoid the certificate error when guest portal accessing .
So for guest portal I will use certificate from external CA ,and for the EAP from the our local internal ca
Could you provide detailes
Thanks
02-14-2017 10:36 AM
During Portal communication, PSN sends the portal certificate. In order to avoid certificate warning, you need to trust the CA with intermediate by putting it in the trusted list of client.
Let me know if you need anything specific to that.
Regards
Gagan
PS : rate if it helps!!!!
02-14-2017 10:39 AM
If you are only changing the domain in CLI then you don't need to remove the AD integration inside the ISE application. With that said, the steps that you have listed are correct. A couple of things to note here:
- The nodes will restart when you deregister them from the cluster
- The nodes will restart when you register them back in
- The nodes will restart when you change the domain name
- If you are getting a wildcard certificate, you won't be able to use it for EAP based authentications
I hope this helps!
Thank you for rating helpful posts!
02-15-2017 12:44 AM
Hi,
Thank you all ,I have elaborated the steps a bit . Please need your feedback
The purpose is changing the domain name (test.local ) to test.com while ise remain joined in test.local like a member server .
So the guest users won't get certificate warning .
Presently installed self signed certificate
Domain Name :test.local
ise joined in test.local
step 1 :
creating A records and CNAME records in the forward lookup zone test.com
create A records in ise01 192.168.10.100(ise01.test.com)
verify ise01.test.com will resolve to 192.168.10.100
create A records in ise01 192.168.10.101 (ise02.test.com)
verify ise01.test.com will resolve to 192.168.10.101
SAN -DNS CNAME
for SAN create a DNS CNAME record ise.test.com 192.168.10.100
verify ise.test.com will resolve to 192.168.10.100
step 2 :
Removing the node from the cluster (ise02 )
-------------------------------------
Deregister ise02 from the cluster ,The node will restart
step 3 :
Changing Domain name using cli
------------------------------------
once back go to cli type : ip domain-name test.com , the node will restart
Generate csr ise02 . Here I will choose Admin Type ,So I can use for EAP and portal ( guest and admin portal )
go to ISE01
cli type : ip domain-name test.com , the node will restart
Generate csr ise02 . Here I will choose Admin Type ,So I can use for EAP and portal ( guest and admin portal )
step 4 :
Importing certificate to ise and Bind
ise01
go back into the “Certificate Signing Requests” page. Select the CSR saved and click “Bind Certificate”.
ise02
go back into the “Certificate Signing Requests” page. Select the CSR saved and click “Bind Certificate”.
We don't import root CA since ise already has the external CA certificate .
step5 :
Reregister to the cluster .
When reregistering what should be the name ? ise02.test.local or ise02.test.com
Finally am i missing something
Thanks
02-16-2017 06:53 PM
I think you are good !!! It should work for you as per steps mentioned by you.
Regards
Gagan
rate if it helps!!!!
02-16-2017 11:46 PM
Dear gagan ,
I am stuck at this point ,
step 3 :
Changing Domain name using cli
------------------------------------
once back go to cli type : ip domain-name test.com , the node will restart
Generate csr ise02 . Here I will choose Admin Type ,So I can use for EAP and portal ( guest and admin portal )
I tried to create csr here , but there is no option for csr
Thanks
02-18-2017 11:52 AM
You can generate certificate for Multi-use. Using Multi-use, you can assign a single certificate for multiple services.
Administration > System > Certificates > Certificate Signing REquests
Once you generate the CSTR, present it to external CA and get server certificate.
Come at same page and bind it by selecting the CSR.
Regards
Gagan
PS: rate if it helps!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide