cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18718
Views
6
Helpful
6
Replies

Changing the hostname on ISE

__Beth__
Level 1
Level 1

Hello,

Has anyone successfully changed the hostname on an ISE 2.1.0.474 Standalone installation?  We looked at doing this awhile back and was basically told it was extremely difficult to do.  We are in need of changing it due to a certificate issue.  Any help or advice would be appreciated.

Thanks!

Beth

1 Accepted Solution

Accepted Solutions

I am not sure why TAC commented so. I've not had much problem with hostname changes for a standalone ISE. Please note that we would need to re-generate the internal CA certificate chain after the hostname change for the ISE internal CA to continue issuing certificates.

If you run into any problem, please let us know so we can track it down.

View solution in original post

6 Replies 6

gbekmezi-DD
Level 5
Level 5

Did you try and have a problem? Make sure you backup first.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/cli_ref_guide/b_ise_CLIReferenceGuide_21/b_ise_CLIReferenceGuide_21_chapter_011.html#ID-1364-00000428

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

hslai
Cisco Employee
Cisco Employee

If you are updating "hostname" only, what George provided is a good option. I've done it a couple of times.

If you are updating more than "hostname", then try "reset-config", which is added in ISE 2.0 to reset network and time settings.

Either way, I would also suggest to reload the ISE node once the changes are done.

__Beth__
Level 1
Level 1

Thank you both.  The reason I ask is when we looked at doing this in the past, I contacted TAC and their response was “Unfortunately, changing the hostname on ISE is a Herculean task.” 

I will definitely do a backup before attempting any changes.  

I am not sure why TAC commented so. I've not had much problem with hostname changes for a standalone ISE. Please note that we would need to re-generate the internal CA certificate chain after the hostname change for the ISE internal CA to continue issuing certificates.

If you run into any problem, please let us know so we can track it down.

TAC is right! Changing ISE hostname requires the following steps:

1. Disjoin the ISE nodes from the domain.(If ISE join AD)

2. Ensure that their computer name is removed from AD.(If ISE join AD)

3. Update DNS records

4. Ensure that DNS records have replicated

5. Change names on ISE(CLI)

6. Join nodes to the domain

After Change hostnames on ISE by CLI, you may see the notification as blow:

Updating the hostname will cause any certificate using the old
% hostname to become invalid. Therefore, a new self-signed
% certificate using the new hostname will be generated now for
% use with HTTPs/EAP. If CA-signed certs were used on this node,
% please import them with the correct hostname. If Internal-CA
% signed certs are being used, please regenerate ISE Root CA certificate.
% In addition, if this ise node will be joining a new Active Directory
% domain, please leave your current Active Directory domain before
% proceeding. If this ise node is already joined to
% an Active Directory domain, then it is strongly advised
% to rejoin all currently joined join-points in order to
% avoid possible mismatch between current and previous
% hostname and joined machine account name.
% Changing the hostname will cause ise services to restart
Proceed? [yes,no]
If you type"yes",

new hostname will be generated for use with HTTPs/EAP will generate a new certificate, then restart ISE.

So, need to regenerate ISE Root CA certificate、 disjoin the ISE nodes from the domain.

You better try it on your Lab before do it on production.

adrianbcisco
Level 1
Level 1

Can this be achieved by entering hostname NEWHOSTNAME at global config mode on the ISE, I believe it works on ISE1.2.

 

Regards.