cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1913
Views
0
Helpful
2
Replies

ISE cube - 2 nodes - need to change the DNS domain - disruptive or no?

vattanassov
Level 1
Level 1

ISE cube of 2 nodes in HA.

Need to change the DNS domain.

This will make the certificates(from CA) invalid.

Will this break the sync between ISE node A and node B?

Will this lead to restart of the most of the services?

I am aware the EAP AuthC will stop, until a new cert is installed.

The same for Guest Portal and AuthC there.

Any other risk/issue?

What to take care about?

 

thanks!

2 Accepted Solutions

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

See the warning in the CLI Reference Guide around changing the domain name on the ISE nodes. This change will have a significant impact and cause multiple outages.

Changes to the Admin certificate will cause a restart of the ISE services.

In addition to having to update the certificates, the 'ip domain-name' command can only be executed when the node is in Standalone mode. As such, you will need to break the cluster, wait for ISE services to restart, then change the domain name.

If your ISE nodes are joined to AD, you will also need to leave the domain, delete the old computer accounts in AD, then re-join the domain after the cluster is re-established with the new names.

View solution in original post

thomas
Cisco Employee
Cisco Employee

Please read the ISE Administrators Guide: Change the Hostname or IP Address of a Standalone Cisco ISE Node

Searching on "domain name" in the guide I found many caveats.

 

> This will make the certificates(from CA) invalid.

Yes.

 

> Will this break the sync between ISE node A and node B?

Yes since they must be in Standalone mode per the instructions above.

 

> Will this lead to restart of the most of the services?

It explicitly says a service restart is required.

 

> I am aware the EAP AuthC will stop, until a new cert is installed.

RADIUS will continue to work except for when the service is restarting. Will they trust your cert? Depends on how the supplicant is configured. Network devices don't care as long as they can still reach it.

 

> The same for Guest Portal and AuthC there.

Guest Portals will continue to work except for when the service is restarting. Browsers will not trust it but the pages would still be accessible if the user chooses to ignore.

View solution in original post

2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

See the warning in the CLI Reference Guide around changing the domain name on the ISE nodes. This change will have a significant impact and cause multiple outages.

Changes to the Admin certificate will cause a restart of the ISE services.

In addition to having to update the certificates, the 'ip domain-name' command can only be executed when the node is in Standalone mode. As such, you will need to break the cluster, wait for ISE services to restart, then change the domain name.

If your ISE nodes are joined to AD, you will also need to leave the domain, delete the old computer accounts in AD, then re-join the domain after the cluster is re-established with the new names.

thomas
Cisco Employee
Cisco Employee

Please read the ISE Administrators Guide: Change the Hostname or IP Address of a Standalone Cisco ISE Node

Searching on "domain name" in the guide I found many caveats.

 

> This will make the certificates(from CA) invalid.

Yes.

 

> Will this break the sync between ISE node A and node B?

Yes since they must be in Standalone mode per the instructions above.

 

> Will this lead to restart of the most of the services?

It explicitly says a service restart is required.

 

> I am aware the EAP AuthC will stop, until a new cert is installed.

RADIUS will continue to work except for when the service is restarting. Will they trust your cert? Depends on how the supplicant is configured. Network devices don't care as long as they can still reach it.

 

> The same for Guest Portal and AuthC there.

Guest Portals will continue to work except for when the service is restarting. Browsers will not trust it but the pages would still be accessible if the user chooses to ignore.