Solved: ISE DNS CNAME Requirement

dvan · ‎08-09-2016

Hi,

In the ISE 2.0 Admin guide, there is a statement about a DNS CNAME record requirement for each ISE node:

Extract:

You need to add Canonical Name (CNAME) record of the ISE hostname to the DNS. Ensure that you create CNAME RR along with the A record for each Cisco ISE node. If CNAME record is not created, it might result in the alarm ‘DNS Resolution failed for CNAME <hostname of the node>’.

Other than an alarm being raised, what other functionality is impacted by the absence of a CNAME record (assume A & PTR records do exist)?

I have come across an example where a DNS server doesn't support the same value in the A and CNAME fields...

Thanks,

Denis

hslai · ‎08-10-2016

That paragraph is a bit misleading. If an A record exists for an ISE node, there is no need for a CNAME record created for it, unless setting up an FQDN for ISE sponsor portal, etc.

As a matter of facts, I would consider it a misconfiguration if both A and CNAME point to the same FQDN.

I logged a doc bug -- CSCva87189

View solution in original post

kthiruve · ‎08-10-2016

Hi,

Please see the usage of CNAME that is explained nicely here.

https://www.networking4all.com/en/support/domain+names/dns/cname-records/

CNAME is an alias name used in certain situations, for eg: you use wild cards in your certificates that ISE supports (or) you have to renew certificates and change the names constantly. It is for easier DNS management.

The key is that DNS resolution between ISE nodes and between endpoints and ISE nodes need to work consistently. This is a tool to make it work.

Thanks

Krishnan

hslai · ‎08-10-2016

That paragraph is a bit misleading. If an A record exists for an ISE node, there is no need for a CNAME record created for it, unless setting up an FQDN for ISE sponsor portal, etc.

As a matter of facts, I would consider it a misconfiguration if both A and CNAME point to the same FQDN.

I logged a doc bug -- CSCva87189

dvan · ‎08-10-2016

Thanks for the clarification Hsing-Tsu