Re: what is domain name for the new ISE box?

ccie14007 · ‎03-19-2018

Hi,

We have AD domain called company.local. now want to install two ISEs. so which domain is the best practice: ise.company.local or ise.company.com?

if use ise.company.com, then can I use public certs for all Admin, EAP and Portals?

If use ise.company.com, can still join the ise.company.local windows AD?

thanks for your help.

Arne Bier · ‎03-19-2018

Hi

At the ADE-OS level all ise nodes have a hostname and a domain component. It's recommended to configure your hosts using the private internal domains .company.local because nobody needs to know about your hosts in the public internet. Do not confuse your host names with a public FQDN for a Guest Portal page. e.g. You only need to think about guest.company.com when you host Guest portal on ISE. In that case you get a certificate made that contains guest.company.com in the Subject and SAN fields, and then ensure that your DNS that is handed out during DHCP does DNS 'conditional forwarding':

1) If client queries for guest.company.com then use company DNS servers to resolve the IP address

2) For all other client DNS queries send the request to the ISP.

It's all about DNS resolution at the end of the day. ise01.company.local should only be resolveable via your internal DNS.

guest.company.com (and please don't call your guest portal ise.company.com!) is just a DNS resolution that eventually resolves to the same thing as ise01.company.com - or, if you're security conscious, then guest.company.com can resolve to a secondary interface (or bond) on ISE that is in a DMZ only for Guest.

That means you keep ise01.company.local to resolve to your ISE nodes' admin interfaces (gig0/bond0)