Hi,

basically I am not changing the hostname(ise01,ise02) or domain name (test.local).
The purpose is , to avoid the certificate error when guest portal accessing .
So for guest portal I will use certificate from external CA ,and for the EAP from the our local internal ca
Could you provide detailes

Thanks

During Portal communication, PSN sends the portal certificate. In order to avoid certificate warning, you need to trust the CA with intermediate by putting it in the trusted list of client.

Let me know if you need anything specific to that.

Regards

Gagan

PS : rate if it helps!!!!

If you are only changing the domain in CLI then you don't need to remove the AD integration inside the ISE application. With that said, the steps that you have listed are correct. A couple of things to note here:

- The nodes will restart when you deregister them from the cluster

- The nodes will restart when you register them back in

- The nodes will restart when you change the domain name

- If you are getting a wildcard certificate, you won't be able to use it for EAP based authentications

I hope this helps!

Thank you for rating helpful posts!

Hi,

Thank you all ,I have elaborated the steps a bit . Please need your feedback
The purpose is changing the domain name (test.local ) to test.com while ise remain joined in test.local like a member server .
So the guest users won't get certificate warning .

Presently installed self signed certificate
Domain Name :test.local
ise joined in test.local

step 1 :
creating A records and CNAME records in the forward lookup zone test.com

create A records in ise01 192.168.10.100(ise01.test.com)
verify ise01.test.com will resolve to 192.168.10.100

create A records in ise01 192.168.10.101 (ise02.test.com)
verify ise01.test.com will resolve to 192.168.10.101

SAN -DNS CNAME

for SAN create a DNS CNAME record ise.test.com 192.168.10.100
verify ise.test.com will resolve to 192.168.10.100

step 2 :

Removing the node from the cluster (ise02 )
-------------------------------------
Deregister ise02 from the cluster ,The node will restart

step 3 :

Changing Domain name using cli
------------------------------------

once back go to cli type : ip domain-name test.com , the node will restart

Generate csr ise02 . Here I will choose Admin Type ,So I can use for EAP and portal ( guest and admin portal )

go to ISE01
cli type : ip domain-name test.com , the node will restart

Generate csr ise02 . Here I will choose Admin Type ,So I can use for EAP and portal ( guest and admin portal )

step 4 :
Importing certificate to ise and Bind

ise01
go back into the “Certificate Signing Requests” page. Select the CSR saved and click “Bind Certificate”.

ise02
go back into the “Certificate Signing Requests” page. Select the CSR saved and click “Bind Certificate”.

We don't import root CA since ise already has the external CA certificate .

step5 :

Reregister to the cluster .
When reregistering what should be the name ? ise02.test.local or ise02.test.com

Finally am i missing something 

Thanks

I think you are good !!! It should work for you as per steps mentioned by you.

Regards

Gagan

rate if it helps!!!!

Dear gagan ,

I am stuck at this point  , 

step 3 :

Changing Domain name using cli
------------------------------------

once back go to cli type : ip domain-name test.com , the node will restart

Generate csr ise02 . Here I will choose Admin Type ,So I can use for EAP and portal ( guest and admin portal )

I tried to create csr here , but there is no option for csr 

Thanks

You can generate certificate for Multi-use. Using Multi-use, you can assign a single certificate for multiple services.

Administration > System > Certificates > Certificate Signing REquests

Once you generate the CSTR, present it to external CA and get server certificate.

Come at same page and bind it by selecting the CSR.

Regards

Gagan

PS: rate if it helps!!!!