cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

changing domain of ISE after POST setup

Manish Patel
Beginner
Beginner

Hi

I would like to find out if one can change the domain of the ISE to another domain after ISE has fully been implemented or do i have to rebuild the server again. ise version is 1.1.1

i would like to change from xyz.abc.com to just abc.com

thanks

11 REPLIES 11

Tarik Admani
Advocate
Advocate

its not recommended, but is necessary in order to work. Since samaccountname are suffixed by this setting for user authenications. I have changed mine around a few times without any negative impacts (I can't remember if it resets the database or just bounces the services). I can check in a few hours and post the output.

I went ahead and did the change on a lab box and you have to remove the first domain name and then enter the new domain name  i.e.

no ip domain-name abc.com

ip domain-name xyz.com

There is a disclaimer of undesired effects but it's up to you to test things out once the services come back up.

Thanks,

Tarik Admani
*Please rate helpful posts*

hi tarik,

thanks for your responce

i did the same as above, and rebooted it...did it a couple of times and the ISE came back up fine.

the reason for this is that i have added a CA signed cert onto for https and EAP protocols for wireless users.

Everytime the wireless users connect , they get a pop up on ipads and iphones saying that the cert is not verified. Once they click on accept they are connected to wireless and work fine....

hence , i was wondering if the domain change of ISE would be the issue

Do you have the error message handy? The purpose of the domain name is to set a default suffix for incomplete hostname or (samaccountname) authentications. ISE is also strict when it comes to importing certs, if the fqdn of the ISE nodes doesnt match the CN of the subject name of the cert it will not allow you to import it.

For example ISE prefers UPN format (bob@abc.com) to authenticate. However these days most people do not know what their domain even means or is...so they enter their username as bob...ISE then attempts dns resolution of abc.com and then fire the query of bob@abc.com to authenticate the user. So make sure that your AD domain and your ip domain-name configuration is the same....

Here is the command reference as to what this command is used for:

http://www.cisco.com/en/US/docs/security/ise/1.1/cli_ref_guide/ise_cli_app_a.html#wp1986123

Thanks,

Tarik Admani
*Please rate helpful posts*