cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4827
Views
0
Helpful
11
Replies
Beginner

changing domain of ISE after POST setup

Hi

I would like to find out if one can change the domain of the ISE to another domain after ISE has fully been implemented or do i have to rebuild the server again. ise version is 1.1.1

i would like to change from xyz.abc.com to just abc.com

thanks

Everyone's tags (6)
11 REPLIES 11
Highlighted
Advocate

changing domain of ISE after POST setup

its not recommended, but is necessary in order to work. Since samaccountname are suffixed by this setting for user authenications. I have changed mine around a few times without any negative impacts (I can't remember if it resets the database or just bounces the services). I can check in a few hours and post the output.

Tarik Admani
*Please rate helpful posts*
Highlighted
Advocate

changing domain of ISE after POST setup

I went ahead and did the change on a lab box and you have to remove the first domain name and then enter the new domain name  i.e.

no ip domain-name abc.com

ip domain-name xyz.com

There is a disclaimer of undesired effects but it's up to you to test things out once the services come back up.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

changing domain of ISE after POST setup

hi tarik,

thanks for your responce

i did the same as above, and rebooted it...did it a couple of times and the ISE came back up fine.

the reason for this is that i have added a CA signed cert onto for https and EAP protocols for wireless users.

Everytime the wireless users connect , they get a pop up on ipads and iphones saying that the cert is not verified. Once they click on accept they are connected to wireless and work fine....

hence , i was wondering if the domain change of ISE would be the issue

Highlighted
Advocate

changing domain of ISE after POST setup

Do you have the error message handy? The purpose of the domain name is to set a default suffix for incomplete hostname or (samaccountname) authentications. ISE is also strict when it comes to importing certs, if the fqdn of the ISE nodes doesnt match the CN of the subject name of the cert it will not allow you to import it.

For example ISE prefers UPN format (bob@abc.com) to authenticate. However these days most people do not know what their domain even means or is...so they enter their username as bob...ISE then attempts dns resolution of abc.com and then fire the query of bob@abc.com to authenticate the user. So make sure that your AD domain and your ip domain-name configuration is the same....

Here is the command reference as to what this command is used for:

http://www.cisco.com/en/US/docs/security/ise/1.1/cli_ref_guide/ise_cli_app_a.html#wp1986123

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

changing domain of ISE after POST setup

the server is on captive.abc.com

the AD that the ISE queries for users is from wde.abc.com, there is a trust both ways

once users click on Accept , they get access to resources etc

i understand the with windows laptops, you would have to have the cert as at trusted certificate, the pop up is only seen on iphones and ipads ( running version 5.1.1) not on Mac books.i also checked the apple website to see if the CA is trusted on version 5.1.1, checked the serial number too, all matched....

hence the doubt about the domain-name change may have had issues with the database..

Highlighted
Advocate

changing domain of ISE after POST setup

Manish,

Can you select more details and see if the certificate is also has EKU oid for Server Authentication?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

Re: changing domain of ISE after POST setup

Tarik

On a IPAD , i couldnt check for that...

I checked the details of the certificate via the ISE browser( as we using it for https and Eap ), the EKU is set for TLS web server and TLS client authentication

could it be possible that the when the CSR was being gernerated , it could have used the old domain?

      

After few hours of rebuilding it, i still have the same issue...i.e cert not verified on ipads and iphones..mac books work fine..

Highlighted
Beginner

changing domain of ISE after POST setup

Hi,

I changed the domain name of the ISE, but the redirection URL of the posture is still coming with the old domain name.

Any ideas.

Thanks,

Highlighted
Advocate

changing domain of ISE after POST setup

Please change the certificate for ISE. That would be the next place to look.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

changing domain of ISE after POST setup

Thanks Tarik worked after changing the Certs

Highlighted
Beginner

Hi Tarik,I am also trying to

Hi Tarik,

I am also trying to change domain name on ISE v 1.4 but command " no ip domain-name is returning as invalid command.

Could you please let me know how to fix this issue?

 

Thanks