Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6391
Views
3
Helpful
4
Replies

Cisco ISE Domain Change Steps , Impact and Certifcate Renewal

Go to solution
KP6677
Level 1
Level 1

‎03-15-2023 11:44 PM

Hi ALL

We ae planning to change the domain name on ISE with setup running on two ISE nodes. We have ISE nodes names as ise1.xyzindia.xyz.org and ise2.xyzindia.xyz.org . We are changing it to ise1.xyz.org and ise2.xyz.org.  Trying to generate new CSR with new domain name to get it signed by CA prior changes but getting error. May I know what steps needed to be done as I came through some where  that these two nodes should be in standalone for generating new CSR , domain-name change and changing the AD server IP as well . is my understanding right and any steps if some body can brief it will be helpful...ISE running on version 3.0

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-16-2023 02:01 PM

As stated in the Admin Guide, these changes require the node to be in Standalone mode. The CLI Guide also provides info on the impact of this change.

The following steps would be required:

  1. Backup the Configuration (optional, but recommended)
  2. Export the Internal CA Store (if using the Internal CA)
  3. Leave the current AD domain
  4. De-register the Secondary node
  5. Convert the Primary to Standalone
  6. Change the domain name on both nodes (wait for app server restart)
  7. Generate CSR on both nodes for Admin cert
  8. Install Root CA certs and signed Admin certs (wait for app server restart)
  9. Make the Primary node 'Primary' and join the secondary node
  10. Install additional certs (like EAP), regenerate the Internal CA and ISE Messaging certs, and join the domain

View solution in original post

4 Replies 4

Go to solution
Tariq Mahmoud
Level 1
Level 1

‎03-16-2023 03:01 AM

You can change the domain of ISE by using the CLI command "ip domain-name" but I don't recall if it requires a reboot. 
Regarding the certificate, a new self-signed certificate will be issued for each server, once that is done you can generate new CSRs for your ISE nodes to get a CA signed certificate.
Make sure to do the above in a maintenance window, and you can start by one node to avoid impacting both nodes at the same time. 

Go to solution
Arne Bier
VIP
VIP

‎03-16-2023 01:54 PM

I don't know if changing the domain name whilst the nodes are in an ISE Cube (Deployment) will work cleanly. Perhaps it will - I have never done this. 

If this were my deployment, I would deregister the nodes as a first step. Even after de-registration, the services will still work e.g. RADIUS TACACS+) - but each node will be a standalone node. Once the node is standalone and applications are running, you can start the CLI changes. Make the changes on all of the nodes. And then create CSRs for the Admin role on each node. Install the new Admin Cert on each node.  Then promote the Primary PAN to Primary.  And then register all the standalone nodes back in. In my opinion that is the cleanest way to do it - but it involves more work.

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-16-2023 02:01 PM

As stated in the Admin Guide, these changes require the node to be in Standalone mode. The CLI Guide also provides info on the impact of this change.

The following steps would be required:

  1. Backup the Configuration (optional, but recommended)
  2. Export the Internal CA Store (if using the Internal CA)
  3. Leave the current AD domain
  4. De-register the Secondary node
  5. Convert the Primary to Standalone
  6. Change the domain name on both nodes (wait for app server restart)
  7. Generate CSR on both nodes for Admin cert
  8. Install Root CA certs and signed Admin certs (wait for app server restart)
  9. Make the Primary node 'Primary' and join the secondary node
  10. Install additional certs (like EAP), regenerate the Internal CA and ISE Messaging certs, and join the domain

Go to solution
KP6677
Level 1
Level 1
In response to Greg Gibbs

‎05-10-2023 11:20 AM

Hi All,

Thanks for your suggestions. We followed the below steps :

  1. Backup the Configuration
  2. Leave the current AD domain of Secondary node
  3. De-register the Secondary node from Primary PAN
  4. Change the hostname/domain name etc ...on secondary nodes (node will restart after any change)
  5. Wait until secondary node comes up and all services are up and running. At this point, cisco ise will generate new self-signed certificate as hostname and even domain name was changed.  If you have 3rd party CA,  import any Root and (or) Intermediate certificates provided by the CA-Administration > Certificates > Trusted Certificates. Click Import and then choose the Root and/or Intermediate certificate and choose the relevant check boxes as they applied.  Now you can  generate CSR at this point and share it to CA , once received signed CA, Bind it  under Administration > Certificates > Certificate Signing Requests..
  6. Convert the Primary to Standalone ,change domain name and follow same above process.
  7. Make secondary as primary node , Join back to AD.
  8. Once step 6 completed for primary node,  swap the roles back make primary node as main node . Register the secondary  node in primary. 
Customers Also Viewed These Support Documents