×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DNS Domain name ISE 1.2

Answered Question
Aug 16th, 2013
User Badges:

Question:  Can the DNS domain name in ISE 1.2 be differnt from the AD domain that ISE is joined to?


Situation:  I have an internal AD domain 'mydomain.local'.  Currently ISE is setup with mydomain.local as it's dns domain it's FQDN is isebox.mydomain.local, it is also joined to that domain.  The problem comes with the certificate for HTTPS sites (management, guest, etc...) specifically guest.  If I use a certificate for isebox.mydomain.local, guest users (that do not have our internal ca) will get a certificate error.  The certificate used for HTTPS sites in ISE has to match the hostname of ISE.  This seems to me to be an unresolvable problem.  I have to have mydomain.local as the DNS domain, so that I can join ISE to mydomain.local.  But if I use that domain then I can't issue a public cert for the ISE box, because I can't get a public cert for a .local domain.


My idea was to define the DNS domain as a public domain (abc123.com) but still join it to my internal domain (mydomain.local).  I have found some vauge references to this not being a supported configuration, and even that it doesn't work at all.  Could someone please tell me if this works?  Or better yet, some better/easer way to solve this prolem.


Thanks!

Correct Answer by David Boos about 4 years 1 day ago

When doing a show running config


hostname ise-serv1

!

ip domain-name domain.com


domain.com is my public routable domain


when I connect to it from a browser it's ise-serv1.domain.com


It connects fine to my AD infrastructure.

Correct Answer by David Boos about 4 years 2 days ago

I use a public certificate on my ISE deployment.


The AD name of my ISE box is mti-ise-serv1.local


The URL for my ISE box is mti-ise-serv1.domain.com (using internal DNS, not accessible from outside my network)


I use a public certificate for the HTTPS management side and a certificate from my internal certificate authority for EAP-TLS authentication.  If you would like more information about how I have it setup I'd be glad to help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Tarik Admani Sat, 08/17/2013 - 20:00
User Badges:
  • Green, 3000 points or more

Hi,


You should be able to configure AD specific domain settings through the cli, however you will need to work with tac on this. The command is "application configure ise" which will allow you to modify parameters such as dns servers. However the command reference fails to specify which parameters are configurable outside of the dns.servers which is referenced in the example.


http://www.cisco.com/en/US/docs/security/ise/1.1/cli_ref_guide/ise_cli_app_a.html#wp2269437



Tarik Admani
*Please rate helpful posts*

Ehsanreza Haghzare Wed, 01/21/2015 - 11:31
User Badges:

Hi Tarik 

 

I wonder if you were able to tackle this issue, I recently installed 1.3 facing same issue , my AD infra is base on domain.local but I need to put a cert for guest portal base domain.com. 

worst thing apparently not like 1.2 , ISE 1.3 does not let you change the fqdn of the guest portal!

 

Thanks

Shawn

Correct Answer
David Boos Sat, 08/17/2013 - 20:03
User Badges:

I use a public certificate on my ISE deployment.


The AD name of my ISE box is mti-ise-serv1.local


The URL for my ISE box is mti-ise-serv1.domain.com (using internal DNS, not accessible from outside my network)


I use a public certificate for the HTTPS management side and a certificate from my internal certificate authority for EAP-TLS authentication.  If you would like more information about how I have it setup I'd be glad to help.

johnbullough Mon, 08/19/2013 - 08:12
User Badges:

What does your "hostname" show in ISE?  This is really the crux of the issue.  The https cert has to match that hostname.  So do you have a hostname like mti-ise-serv1.local or mti-ise-serv1.domain.com?  If it's mti-ise-serv1.domain.com, is the ISE system joined to the .local domain?


Thanks!

Correct Answer
David Boos Mon, 08/19/2013 - 08:15
User Badges:

When doing a show running config


hostname ise-serv1

!

ip domain-name domain.com


domain.com is my public routable domain


when I connect to it from a browser it's ise-serv1.domain.com


It connects fine to my AD infrastructure.

Ravi Singh Sun, 08/18/2013 - 19:27
User Badges:
  • Cisco Employee,

I am not sure but I think you can. You have to remember that your AD should be registered with this DNS server. So that ISE can resolve AD domain name.

Muhammad Munir Sun, 08/18/2013 - 20:44
User Badges:
  • Cisco Employee,

Hello John



Cisco ISE supports integration with a single Active Directory identity source. Cisco ISE uses this Active Directory identity source to join itself to an Active Directory domain. If this Active Directory source has a multidomain forest, trust relationships must exist between its domain and the other domains in order for Cisco ISE to retrieve information from all domains within the forest.


However, you may create multiple instances for LDAP. Cisco ISE can communicate via LDAP to Active Directory servers in an untrusted domain. The only limitation you would see with LDAP being a database that it doesn't support PEAP MSCHAPv2 ( native microsoft supplicant). However it does suppport EAP-TLS.


For more information you may go through the below listed link

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

johnbullough Mon, 08/19/2013 - 08:15
User Badges:

This is not my problem.  I do NOT want to integrate with two domains.  I need to join my internal domain (mydomain.local), and yet have the hostname of the ISE box be that of an external url (abc123.com).  I have to do this becuase ISE will only allow the HTTPS certificate to match the hostname, and for guest users that MUST be an external url (.com not .local).

Actions

This Discussion

Related Content