Question: Can the DNS domain name in ISE 1.2 be differnt from the AD domain that ISE is joined to?
Situation: I have an internal AD domain 'mydomain.local'. Currently ISE is setup with mydomain.local as it's dns domain it's FQDN is isebox.mydomain.local, it is also joined to that domain. The problem comes with the certificate for HTTPS sites (management, guest, etc...) specifically guest. If I use a certificate for isebox.mydomain.local, guest users (that do not have our internal ca) will get a certificate error. The certificate used for HTTPS sites in ISE has to match the hostname of ISE. This seems to me to be an unresolvable problem. I have to have mydomain.local as the DNS domain, so that I can join ISE to mydomain.local. But if I use that domain then I can't issue a public cert for the ISE box, because I can't get a public cert for a .local domain.
My idea was to define the DNS domain as a public domain (abc123.com) but still join it to my internal domain (mydomain.local). I have found some vauge references to this not being a supported configuration, and even that it doesn't work at all. Could someone please tell me if this works? Or better yet, some better/easer way to solve this prolem.
When doing a show running config
ip domain-name domain.com
domain.com is my public routable domain
when I connect to it from a browser it's ise-serv1.domain.com
It connects fine to my AD infrastructure.
I use a public certificate on my ISE deployment.
The AD name of my ISE box is mti-ise-serv1.local
The URL for my ISE box is mti-ise-serv1.domain.com (using internal DNS, not accessible from outside my network)
I use a public certificate for the HTTPS management side and a certificate from my internal certificate authority for EAP-TLS authentication. If you would like more information about how I have it setup I'd be glad to help.