Solved: Cisco ISE change Domain Name

joeharb · ‎12-29-2014

Our ISE deployment was setup with our internal domain name of csi.corp, when presenting the guest CWA this is the domain name the is presented to

the guest. We would like for this to be out public domain and a valid certificate. From what I have gathered the web portal https certificate must contain the FQDN of the ISE node, therefore I would need to change the domain name on the server(s). I have found posts that some have changed the domain name after deployment without any adverse results, is this possible? We are currently integrated with our corp AD and able to utilize this the EAP authentications. We have 2 nodes in our deployment, is it possible to change the domain name to our public domain without a rebuild?

Thanks,

Joe

nspasov · ‎04-07-2016

Wow, this is an old thread but I am glad that it is still providing help to others :)

wyfy-2015 - Thank you for the compliment!

joeharb - Thank you for taking the time to come back and post info about this (+5 from me as well).

Now, if this issue was resolved, we should mark the thread as "answered" ;)

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎12-29-2014

Hi Joe-

Yes, what you are describing here is possible and I have done it in the past. You can have ISE joined (in the GUI) to an internal domain (company.local) while the hostname and domain configuration in CLI be set to the public domain (company.com). ISE will require a restart so plan on doing this during a maintenance window. You will also have to do some tweaking with your DNS in order to allow hosts on the "inside" of your network to be able to resolve "ise.company.com" to a private IP.

I hope this helps!

Thank you for rating helpful posts!

joeharb · ‎12-29-2014

Thanks for the reply,

Since there are 2 servers in the deloyment, should I simply start with the first node, no out the domain name as it is now and replace it with the public, then restart the appliance, do the same secondary?

Thanks,

Joe

nspasov · ‎12-29-2014

Yes, anything that can minimize downtime. Btw, I have not done this during production time so be aware that changing the domain and hostname will probably invalidate the currently installed certificate, thus it will break the inter-cluster communication between the two nodes. Again, that should not be a big deal but just something to keep in mind.

Thank you for rating helpful posts!

joeharb · ‎01-02-2015

TAC has come back stating that a domain name change isn't needed if we request the certificate the following way:

Here is a example, in the wild card certificate please ensure you have SAN field set to:
DNS name: isenode1.local.corp
DNS name: isenode2.local.corp
DNS name: *.public.com

I wouldn't expect that a Registrar would provide this certificate, am I incorrect?

Thanks,

Joe

nspasov · ‎01-05-2015

Hmm, unless something has changed I don't believe this would work because:

- Even though the CN doesn't have to be an exact match of the FQDN, I believe that the domain suffix in the CN still must match the domain suffix in the FQDN. So you can have many different values and domains in the SAN fields but the domain in the CN field must match the domain specified in the FQDN. I don't have any certs to test this with now but I am pretty sure that even though the CSR generation would work, the process will fail when trying to import the cert.

- Is ".local.corp" a public domain? It doesn't sound like it but perhaps it is :) However, if it is not, then many public CAs won't issue you a public certificate for a private domain. You can definitely give it a try and see what they say :)

Let me know what you find out!

Thank you for rating helpful posts!

joeharb · ‎01-09-2015

To update, I was able to change the domain name on both servers without issue.

Thanks,

Joe

nspasov · ‎01-10-2015

That is good to hear Joe! Did you complete the hostname changes without having to perform any additional tasks or or..?

Thanks!

wyfy-2015 · ‎04-06-2016

Hi,

Can you tell how did you do that ?

Thanks

joeharb · ‎04-07-2016

I logged into the cli via ssh and did a no ip domain-name olddomain.com

then

ip domain-name newdomain.com

restarted appliance completely.

Hope this helps.

Joe

wyfy-2015 · ‎04-07-2016

Hi

And what about the eap and admin certificate , you are using the certificate from your internal CA . I believe that for that you are using internal CA and for portal you are using external CA . It would be a great help if you brief about that

Thanks

joeharb · ‎04-07-2016

You are correct, we are using a certificate signed by our internal CA for EAP connections and one from an external CA for admin and portal access.

Thanks,

Joe

wyfy-2015 · ‎04-07-2016

Thank you Joe and Special thanks to Neno .Without Neno ISE discussion is not

complete :)

nspasov · ‎04-07-2016

Wow, this is an old thread but I am glad that it is still providing help to others :)

wyfy-2015 - Thank you for the compliment!

joeharb - Thank you for taking the time to come back and post info about this (+5 from me as well).

Now, if this issue was resolved, we should mark the thread as "answered" ;)

Thank you for rating helpful posts!

ryan14 · ‎05-14-2021

I have a similar issue. Just to clarify, what did you need to change to migrate from using an internal cert for admin and portal? Just change the domain name on each ISE node, reboot and apply the public certificate? Are you using a wild card certificate?