Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
2
Helpful
4
Replies

Changing ISE Node Domain Name Suffix

Go to solution
zachartl
Level 5
Level 5

‎04-09-2026 08:46 AM

Hello,

We've recently reviewed Cisco Field Notice Field Notice: FN74392 - Cisco Identity Services Engine: Impact on Secure Communications from Public CA Client Authentication EKU Changes Starting in May 2026 - Workaround Provided - Cisco

We've a four node ISE deployment. Two PANs and Two PSNs. We utilize Public CA Certificates and public host.domain-names. In light of the Field Notice, we're considering migrating to an Internal PKI infrastructure. This will entail DNS Domain suffix change. We're trying to gauge and minimize the potential impact of doing this. Our PSNs utilize the Passive Identity Connector Service by way of WMI.

Has anyone out there migrated their ISE Deployments, changing ISE Node names?

Thank you in advance,

Terry

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-09-2026 04:52 PM

Changing the ISE ip domain name involves de-registering the ISE node from the deployment so you can run the "reset-config" command (which is the most reliable way to make ADE-OS changes). I have done this on individual (standalone nodes) as well as on a small 2-node deployment. In the case of 2-node deployment, each node was a PSN - and after the de-registration, both nodes will still operate as PSNs - they just won't talk to each other. As far as RADIUS and TACACS is concerned, no impact apart from the downtime of the node you de-registered - because it restarts its processes. And then the downtime again after the reset-config command.  Not having done this on a larger deployment, it would be good to test in a lab first. But I would attempt to de-register the secondary PAN/MNT, change the domain, and then generate a CSR and have it signed by your PKI. Then import the PKI CA chain into the PAN, and attempt to register the secondary PAN. If that works, then I would repeat that process with the PSNs (one at a time).  Lastly, I would then promote the secondary PAN to Primary.  Then de-register the new secondary PAN, do the reset and cert stuff etc and register back in. Finally, promote the secondary PAN back to Primary.

That's how I would imagine the process would go.

The assumption is of course, that each time you change the FQDN of an ISE node, that the DNS records are updated accordingly. That involves A and PTR records

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎04-09-2026 04:52 PM

Changing the ISE ip domain name involves de-registering the ISE node from the deployment so you can run the "reset-config" command (which is the most reliable way to make ADE-OS changes). I have done this on individual (standalone nodes) as well as on a small 2-node deployment. In the case of 2-node deployment, each node was a PSN - and after the de-registration, both nodes will still operate as PSNs - they just won't talk to each other. As far as RADIUS and TACACS is concerned, no impact apart from the downtime of the node you de-registered - because it restarts its processes. And then the downtime again after the reset-config command.  Not having done this on a larger deployment, it would be good to test in a lab first. But I would attempt to de-register the secondary PAN/MNT, change the domain, and then generate a CSR and have it signed by your PKI. Then import the PKI CA chain into the PAN, and attempt to register the secondary PAN. If that works, then I would repeat that process with the PSNs (one at a time).  Lastly, I would then promote the secondary PAN to Primary.  Then de-register the new secondary PAN, do the reset and cert stuff etc and register back in. Finally, promote the secondary PAN back to Primary.

That's how I would imagine the process would go.

The assumption is of course, that each time you change the FQDN of an ISE node, that the DNS records are updated accordingly. That involves A and PTR records

Go to solution
zachartl
Level 5
Level 5
In response to Arne Bier

‎04-10-2026 05:06 AM

Good morning Mr. Bier,

Thank you for the timely and concise response. I very much concur with the logic you provided. I will relay this information to our Team for discussion, and contemplation.

Warmest regards, and our utmost gratitude.

Terry

0 Helpful

Go to solution
Jonatan Jonasson
VIP
VIP

‎04-10-2026 06:19 AM

One additional thing to consider - even if you move to use internal PKI - that change alone doesn't require you to change the naming.

You could keep on using the current public fqdn hostnames, and have your internal PKI just sign certificates for those names.

But if you want to change the names, then just follow the process Arne pointed out.

---
Please mark helpful answers & solutions
---

Go to solution
zachartl
Level 5
Level 5
In response to Jonatan Jonasson

‎04-10-2026 06:26 AM

Good morning Mr. Jonasson,

I've been under the impression that the Internal PKI CA had to be a member of the DNS Domain. I hadn't considered this perspective before. It would certainly be worth a try.

Thank you for your input and my enlightenment.

Warmest regards,

Terry

0 Helpful
Customers Also Viewed These Support Documents