I went ahead and did the change on a lab box and you have to remove the first domain name and then enter the new domain name  i.e.

no ip domain-name abc.com

ip domain-name xyz.com

There is a disclaimer of undesired effects but it's up to you to test things out once the services come back up.

Thanks,

Tarik Admani
*Please rate helpful posts*

hi tarik,

thanks for your responce

i did the same as above, and rebooted it...did it a couple of times and the ISE came back up fine.

the reason for this is that i have added a CA signed cert onto for https and EAP protocols for wireless users.

Everytime the wireless users connect , they get a pop up on ipads and iphones saying that the cert is not verified. Once they click on accept they are connected to wireless and work fine....

hence , i was wondering if the domain change of ISE would be the issue

Do you have the error message handy? The purpose of the domain name is to set a default suffix for incomplete hostname or (samaccountname) authentications. ISE is also strict when it comes to importing certs, if the fqdn of the ISE nodes doesnt match the CN of the subject name of the cert it will not allow you to import it.

For example ISE prefers UPN format (bob@abc.com) to authenticate. However these days most people do not know what their domain even means or is...so they enter their username as bob...ISE then attempts dns resolution of abc.com and then fire the query of bob@abc.com to authenticate the user. So make sure that your AD domain and your ip domain-name configuration is the same....

Here is the command reference as to what this command is used for:

http://www.cisco.com/en/US/docs/security/ise/1.1/cli_ref_guide/ise_cli_app_a.html#wp1986123

Thanks,

Tarik Admani
*Please rate helpful posts*

the server is on captive.abc.com

the AD that the ISE queries for users is from wde.abc.com, there is a trust both ways

once users click on Accept , they get access to resources etc

i understand the with windows laptops, you would have to have the cert as at trusted certificate, the pop up is only seen on iphones and ipads ( running version 5.1.1) not on Mac books.i also checked the apple website to see if the CA is trusted on version 5.1.1, checked the serial number too, all matched....

hence the doubt about the domain-name change may have had issues with the database..

Manish,

Can you select more details and see if the certificate is also has EKU oid for Server Authentication?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik

On a IPAD , i couldnt check for that...

I checked the details of the certificate via the ISE browser( as we using it for https and Eap ), the EKU is set for TLS web server and TLS client authentication

could it be possible that the when the CSR was being gernerated , it could have used the old domain?

After few hours of rebuilding it, i still have the same issue...i.e cert not verified on ipads and iphones..mac books work fine..

Hi,

I changed the domain name of the ISE, but the redirection URL of the posture is still coming with the old domain name.

Any ideas.

Thanks,

Please change the certificate for ISE. That would be the next place to look.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik worked after changing the Certs

Hi Tarik,

I am also trying to change domain name on ISE v 1.4 but command " no ip domain-name is returning as invalid command.

Could you please let me know how to fix this issue?

Thanks