cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5029
Views
16
Helpful
9
Replies
Highlighted

Rename (Change of Hostname) of Cisco ISE Appliances !!!

Hi,

I am having the two Cisco ISE (Version: 1.1.1.268) appliances. These appliances are running in Failover with the internal CA signed certificates.

The hostnames are 19 character long with Upper cases and Hypen. Boxes are joined to the domain but freqently used to disconnect after sometime. After some investigation, we came to know that AD can accept only the 15 characters long hostname... thats the reason, one of the appliance keeps disconnected. Also, sometimes, the authentications donesn't works properly.

My question is that how to change the Cisco ISE Appliance hostnames without impacting the production and hassle?

Send me the steps in detail, or it is just a matter to change the hostname and register with DNS with new names and regenerated the certificates...???

Need expert opinion....

Thanks,

Regards,

Mubasher

Everyone's tags (3)
9 REPLIES 9
Cisco Employee

Rename (Change of Hostname) of Cisco ISE Appliances !!!

Hello Mubasher-

I recently had to do this and I want to warn you to be careful. I had to rename 4 hosts and out of 4 of them only 1 remained useable. The other hosts had to be re-built For some reason ISE nodes get very unhappy when trying to change certain things (Hostnames, timezone, etc) Also, keep in mind that even if the renaming goes well you will still impact the environment as the nodes will restart.

Here is what I did when I made the change:

1. Disjoin the ISE nodes from the domain

2. Ensure that their computer name is removed from AD

3. Update DNS records

4. Ensure that DNS records have replicated

5. Change names on ISE

6. Join nodes to the domain

Hope this helps


Thanks for rating!

Beginner

HI Neno.

HI Neno.

I know this post is old. However i wanted to know something:

One of my clients has guest portal setup. Now whenever a guest connects to this portal, the hostname of ISE is displayed on the top portion of his mobile device.

Is there a way to hide this ???

Thanks in advance.

Nick

Cisco Employee

Hi Nick-

Hi Nick-

I don't think you can hide this as it is the expected behavior since the guest portal resides on the ISE node and the client's browser must resolve that FQDN. 

With that being said, there are several ways to secure ISE from guest users. You can:

1. Configure the Guest Portal so it is "attached" to a dedicated Ethernet port on ISE. That way Guest users are not hitting the regular Management interface. 

2. You can lock down the management access of ISE to specific IPs, thus eliminating the Guest subnet from being able to access ISE's mgmt IP

I hope this helps!

Thank you for rating helpful posts! 

Beginner

hi Neno,

hi Neno,

thanks for the reply..

the security is already configured.

actually the issue i am facing is that the client had given a wierd hostname to the device and it is a 6 star Hotel. So whenever the guest logs in the portal, the name is displayed on top.

now for this reason, he wants the name changed and i have already faced the challenges of doing that. I just wanted to know if there will be any way i can make it either disappear from the top bar of the device or change the name without actually needing to change the hostname.

i understand that the Guest portal is hosted internally on ISE. so i doubt evan making a change in the DNS (without actually changing the hostname on the device) will have any effect on the display.

i was just trying to see if there is an alternative to resolve this as changing the Hostname of ISE as i have experienced can be tricky and tiresome sometimes.

what would be your suggestion.

regards,

nick

Cisco Employee

Hi Nick-

Hi Nick-

Unfortunately, I don't see any other way but to rename the ISE server. Each guest portal is given a name but that is pre-pended with the ISE node that is getting the request. I was thinking that perhaps this can be masked with a load balancer but I don't think that is an option either. Even with a load balancer, the client still resolves the ISE host:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf

You will most likely have to get new certificates issued to the ISE nodes. 

Thank you for rating helpful posts! 

Beginner

thanks for the reply Neno,

thanks for the reply Neno,

have scheduled activity with client.

I just hope all goes well.. i am always scared to do this as everytime i did this.. i have had issues with nodes coming up... so i have also now suggested an upgrade to 1.4... i hope all goes well.

Fingers crossed now... :-)

thanks a lot for the knowledge.

Cisco Employee

Good luck! :) Let us know how

Good luck! :) Let us know how it goes!

Beginner

Neno,

Neno,

there is one more issue i see at this client site.

whenever i configure a switchport to work with ise, i see MAC addresses being dropped on that interface.

In ise, the status for device is : posture pending.

the device does not get an ip address, the device cannot ping the dns server.

there are only a few random PC that i encounter these issues on. say 2 out of 100

although many other PC on the same switch work flawlessly.

this rules out the ACL or posture redirect ACL/portal issue.

the pending status has been there for 4 days straight. and it does not recover.

i have to manually remove the configuration from the switch to get the PC back on network.

have you encountered any such issue. if yes, what were your steps to resolve it.

we are using certificate for machine auth. the internal windows firewall also has the requested services allowed in and out.

please advise.

Regards,

Nick

Cisco Employee

It is hard to tell without

It is hard to tell without knowing more about the environment and seeing some configs. Perhaps it would be best to start a new thread about this issue :) Provide as much details as possible (client types, versions and models of switches, posture/anyconnect versions, etc). 

Thank you for rating helpful posts!