I would like to find out if one can change the domain of the ISE to another domain after ISE has fully been implemented or do i have to rebuild the server again. ise version is 1.1.1
i would like to change from xyz.abc.com to just abc.com
its not recommended, but is necessary in order to work. Since samaccountname are suffixed by this setting for user authenications. I have changed mine around a few times without any negative impacts (I can't remember if it resets the database or just bounces the services). I can check in a few hours and post the output.
I went ahead and did the change on a lab box and you have to remove the first domain name and then enter the new domain name i.e.
no ip domain-name abc.com
ip domain-name xyz.com
There is a disclaimer of undesired effects but it's up to you to test things out once the services come back up.
*Please rate helpful posts*
thanks for your responce
i did the same as above, and rebooted it...did it a couple of times and the ISE came back up fine.
the reason for this is that i have added a CA signed cert onto for https and EAP protocols for wireless users.
Everytime the wireless users connect , they get a pop up on ipads and iphones saying that the cert is not verified. Once they click on accept they are connected to wireless and work fine....
hence , i was wondering if the domain change of ISE would be the issue
Do you have the error message handy? The purpose of the domain name is to set a default suffix for incomplete hostname or (samaccountname) authentications. ISE is also strict when it comes to importing certs, if the fqdn of the ISE nodes doesnt match the CN of the subject name of the cert it will not allow you to import it.
For example ISE prefers UPN format (firstname.lastname@example.org) to authenticate. However these days most people do not know what their domain even means or is...so they enter their username as bob...ISE then attempts dns resolution of abc.com and then fire the query of email@example.com to authenticate the user. So make sure that your AD domain and your ip domain-name configuration is the same....
Here is the command reference as to what this command is used for:
*Please rate helpful posts*
the server is on captive.abc.com
the AD that the ISE queries for users is from wde.abc.com, there is a trust both ways
once users click on Accept , they get access to resources etc
i understand the with windows laptops, you would have to have the cert as at trusted certificate, the pop up is only seen on iphones and ipads ( running version 5.1.1) not on Mac books.i also checked the apple website to see if the CA is trusted on version 5.1.1, checked the serial number too, all matched....
hence the doubt about the domain-name change may have had issues with the database..
On a IPAD , i couldnt check for that...
I checked the details of the certificate via the ISE browser( as we using it for https and Eap ), the EKU is set for TLS web server and TLS client authentication
could it be possible that the when the CSR was being gernerated , it could have used the old domain?
After few hours of rebuilding it, i still have the same issue...i.e cert not verified on ipads and iphones..mac books work fine..