ISE 3.1 Change FQDN for Deployment Nodes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2023 07:30 AM - edited 01-16-2023 07:48 AM
Hi,
I want your help about a domain change in my company, which will affect Cisco ISE
We have already register our Cisco ISE VM's with an FQDN which includes the legacy domain of my company.
Our case is that we want to change from ise1.xxx.gr to ise1.yyy.gr in a 2 Node Deployment , with with primary & secondary administration nodes.
Can you please help me how to do this and if any downtime will occur?
- Labels:
-
Identity Services Engine (ISE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2023 07:41 AM
how big is the deployment.
if you change the domain, you need to change the certs and also where ever applicable, this required ISE to reboot also.
check some guide lines OLD thread, still usefull :
https://community.cisco.com/t5/network-access-control/changing-domain-name-in-the-ise/td-p/3069219
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2023 07:47 AM - edited 01-16-2023 07:48 AM
@balaji.bandi thank you for your immediate response!
Our deployment is a 2 Node Deployment , with with primary & secondary nodes. We have already import the new certificates in the Nodes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2023 08:09 AM
Thank you for sharing the information As @Karsten Iwen suggest DNS may fix the issue, But myself never tried that option, since your certs binded to FQDN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2023 07:56 AM
Are you aware that your ISE deployment will likely work perfectly even if your real Domain is different from the one used on the ISE? Just your DNS needs to be able to resolve the new domain on the ISE nodes. Probably you don't need to change it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2023 01:02 AM
@Karsten Iwen thanks for your reply! So you propose to create a cname entry in the dns in order to resolve the new domain. Our problem on this is that as @balaji.bandi mention we will use the new certificates(exported from the new CA) on both ISE Nodes and we are going to delete the old ones. Do you think that this is a problem;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2023 02:58 AM
The name on the certificate is not really related to the node-name. You can just import the certs and assign its functions. But for the domain name I would probably configure a new zone as you likely will use that for everything that is new.