Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

DNS Domain name ISE 1.2

Question:  Can the DNS domain name in ISE 1.2 be differnt from the AD domain that ISE is joined to?

Situation:  I have an internal AD domain 'mydomain.local'.  Currently ISE is setup with mydomain.local as it's dns domain it's FQDN is isebox.mydomain.local, it is also joined to that domain.  The problem comes with the certificate for HTTPS sites (management, guest, etc...) specifically guest.  If I use a certificate for isebox.mydomain.local, guest users (that do not have our internal ca) will get a certificate error.  The certificate used for HTTPS sites in ISE has to match the hostname of ISE.  This seems to me to be an unresolvable problem.  I have to have mydomain.local as the DNS domain, so that I can join ISE to mydomain.local.  But if I use that domain then I can't issue a public cert for the ISE box, because I can't get a public cert for a .local domain.

My idea was to define the DNS domain as a public domain (abc123.com) but still join it to my internal domain (mydomain.local).  I have found some vauge references to this not being a supported configuration, and even that it doesn't work at all.  Could someone please tell me if this works?  Or better yet, some better/easer way to solve this prolem.

Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

DNS Domain name ISE 1.2

I use a public certificate on my ISE deployment.

The AD name of my ISE box is mti-ise-serv1.local

The URL for my ISE box is mti-ise-serv1.domain.com (using internal DNS, not accessible from outside my network)

I use a public certificate for the HTTPS management side and a certificate from my internal certificate authority for EAP-TLS authentication.  If you would like more information about how I have it setup I'd be glad to help.

Community Member

DNS Domain name ISE 1.2

When doing a show running config

hostname ise-serv1

!

ip domain-name domain.com

domain.com is my public routable domain

when I connect to it from a browser it's ise-serv1.domain.com

It connects fine to my AD infrastructure.

8 REPLIES

DNS Domain name ISE 1.2

Hi,

You should be able to configure AD specific domain settings through the cli, however you will need to work with tac on this. The command is "application configure ise" which will allow you to modify parameters such as dns servers. However the command reference fails to specify which parameters are configurable outside of the dns.servers which is referenced in the example.

http://www.cisco.com/en/US/docs/security/ise/1.1/cli_ref_guide/ise_cli_app_a.html#wp2269437

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Hi Tarik  I wonder if you

Hi Tarik 

 

I wonder if you were able to tackle this issue, I recently installed 1.3 facing same issue , my AD infra is base on domain.local but I need to put a cert for guest portal base domain.com. 

worst thing apparently not like 1.2 , ISE 1.3 does not let you change the fqdn of the guest portal!

 

Thanks

Shawn

Community Member

DNS Domain name ISE 1.2

I use a public certificate on my ISE deployment.

The AD name of my ISE box is mti-ise-serv1.local

The URL for my ISE box is mti-ise-serv1.domain.com (using internal DNS, not accessible from outside my network)

I use a public certificate for the HTTPS management side and a certificate from my internal certificate authority for EAP-TLS authentication.  If you would like more information about how I have it setup I'd be glad to help.

Community Member

DNS Domain name ISE 1.2

What does your "hostname" show in ISE?  This is really the crux of the issue.  The https cert has to match that hostname.  So do you have a hostname like mti-ise-serv1.local or mti-ise-serv1.domain.com?  If it's mti-ise-serv1.domain.com, is the ISE system joined to the .local domain?

Thanks!

Community Member

DNS Domain name ISE 1.2

When doing a show running config

hostname ise-serv1

!

ip domain-name domain.com

domain.com is my public routable domain

when I connect to it from a browser it's ise-serv1.domain.com

It connects fine to my AD infrastructure.

DNS Domain name ISE 1.2

I am not sure but I think you can. You have to remember that your AD should be registered with this DNS server. So that ISE can resolve AD domain name.

Community Member

DNS Domain name ISE 1.2

Hello John

Cisco ISE supports integration with a single Active Directory identity source. Cisco ISE uses this Active Directory identity source to join itself to an Active Directory domain. If this Active Directory source has a multidomain forest, trust relationships must exist between its domain and the other domains in order for Cisco ISE to retrieve information from all domains within the forest.

However, you may create multiple instances for LDAP. Cisco ISE can communicate via LDAP to Active Directory servers in an untrusted domain. The only limitation you would see with LDAP being a database that it doesn't support PEAP MSCHAPv2 ( native microsoft supplicant). However it does suppport EAP-TLS.

For more information you may go through the below listed link

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

Community Member

DNS Domain name ISE 1.2

This is not my problem.  I do NOT want to integrate with two domains.  I need to join my internal domain (mydomain.local), and yet have the hostname of the ISE box be that of an external url (abc123.com).  I have to do this becuase ISE will only allow the HTTPS certificate to match the hostname, and for guest users that MUST be an external url (.com not .local).

1538
Views
0
Helpful
8
Replies
CreatePlease to create content