10-02-2013 09:51 PM - edited 03-10-2019 08:57 PM
Hello guys,
We changed a domain name of the ISE appliance and it started giving us grief. It was configured to redirect wireless users to the web registration and authentication portal. We properly added all required A records in DNS server and looked everywhere but didn't find anything that could give any clue.
Perhaps the old FQDN get stuck somewhere in the database.
Any idea? Please help !!!
10-04-2013 02:44 AM
Hi
Check the configuration of Active Directory in the Admin portal and the DNS configuration in the Cisco ISE CLI.
10-04-2013 09:04 AM
Thanks, Muhammad,
ISE CLI was already taken care of but AD portal settings was a good pointer. I'll have it changed and will try again.
Eugene
10-04-2013 10:44 AM
Case Solution:
Connecting to the Active Directory Domain
To reconnect with Active Directory domain, complete the following steps:
Step 1 Choose Administration > Identity Management > External Identity Sources.
Step 2 From the External Identity Sources navigation pane on the left, click Active Directory.
Step 3 Enter the domain name in the Domain Name text box.
Step 4 Enter a friendly name in the Identity Store Name text box for your Active Directory identity source (by default, this value will be AD1).
Step 5 Clicks Save Configuration.
Step 6 To verify if your Cisco ISE node can be connected to the Active Directory domain, click Test Connection. A dialog box appears and prompts you to enter the Active Directory username and password.
Step 7 Enter the Active Directory username and password and click OK.
A dialog box appears with the status of the test connection operation.
Step 8 Click OK.
Step 9 Click Join to join the Cisco ISE node to the Active Directory domain.
The Join Domain dialog box appears.
Step 10 Enter your Active Directory username and password, and click OK.
Step 11 Check the Enable Password Change check box to allow the user to change their password.
Step 12 Check the Enable Machine Authentication check box to allow machine authentication.
Step 13 Check the Enable Machine Access Restrictions (MARs) check box to ensure that the machine authentication results are tied to the user authentication and authorization results. If you check this check box, you must enter the Aging Time in hours.
Step 14 Enter the Aging Time in hours if you have enabled MARs.
This value specifies the expiration time for machine authentication. If the time expires, the user authentication fails. For example, if you have enabled MARs and enter a value of 2 hours, the user authentication fails if the user tries to authenticate after 2 hours.
Step 15 Click Save Configuration.
Step 16. Create Certificate Authentication Profile
Step 17: Import CA Certificates into ISE Certificate Trust Store
Step 18: Configure CA Certificates for Revocation Status Check
Step 19: Enable Client Certificate-Based Authentication
Please check below link for certificates configurations
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.html#wp1122804
10-04-2013 12:41 PM
could you please check if your device is pointing towards the right server and that is IP address of ISE? so that right domain can be pointed to..
10-04-2013 03:32 PM
Zheka,
I guess we saw the similar query in this forum before as well.
https://supportforums.cisco.com/thread/2218780
That's because certificate presented to the client is still OLD. You need to generate a new cert and install it on ISE and make sure DNS is updated.
~BR
Jatin Katyal
**Do rate helpful posts**
10-04-2013 06:34 PM
What kind of weird logic is here ? What does redirect have to do with certificate?
Moreover, when I try to generate the new certificate I can't use it because the old ones are associated with a protocol HTTPS and EAP and can't disable them because these check boxes are greyed out
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: