Domain DNS ISE 1.2

Question: The DNS in ISE 1.2 domain name may be different from the AD domain which ISE is attached to?

Situation: I have an internal area of the AD "mydomain.local".  ISE is currently Setup with mydomain.local as he dns domain is the domain name is isebox.mydomain.local, it is also related to this area.  The problem comes with the certificate for HTTPS (management, comments, etc.) specially invited sites.  If I use a certificate for isebox.mydomain.local, guest users (who do not have our internal certification authority) Gets a certificate error.  The certificate used for HTTPS sites in ISE should match the hostname of the ISE.  This seems to be an insoluble problem.  I must have mydomain.local as the DNS domain, so that I can join mydomain.local ISE.  But if I use this area so I can't issue a cert public for the ISE area, because I can't get a public certificate for a .local domain.

My idea was to set the DNS domain in the public domain (abc123.com), but always join my internal domain name (mydomain.local).  I found a few references to vauge to is not a configuration not taken in charge and even it does not at all.  Is could someone please tell me if it works?  Or, even better, a way to better/more easy to solve this prolem.

Thank you!

I use a public certificate on my deployment of ISE.

The name of my box of ISE AD is mti - ise - serv1.local

The URL of my box of ISE is mti - ise - serv1.domain.com (using DNS not accessible from the outside of my network, internal)

I use a public certificate for HTTPS management side and a certificate from my CA internal to the EAP - TLS authentication.  If you would like more information on how I setup I'd be happy to help you.

Tags: Cisco Security

Similar Questions

  • Unable to join the domain "DNS name does not exist."

    Working on this computer remotely in my company, it has more a problem but at this moment, that we focus on trying to reach the area. We removed everything first to see if it would fix the trust relationship issues she felt the long side not being able to browse the files all computer network or servers.
    When trying to join the field, that's what we get in the dcdiag.txt in the debug folder.
    The domain name 'xxxxx' can be a NetBIOS domain name.  If this is the case, check that the domain name is properly registered with WINS.
    If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.
    The following error occurred when DNS was questioned about the resource record (SRV) service location used to locate an Active Directory (AD DC) domain controller for the domain "xxxxx":
    The error was: "the DNS name does not exist."
    (0x0000232B RCODE_NAME_ERROR error code)
    The query was for the SRV record for _ldap._tcp.dc._msdcs.xxxxx
    Common causes of this error are:
    -The DNS SRV records to locate an AD DC for the domain are not registered in DNS. These records are automatically saved with a DNS server when an AD domain controller is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:
    198.6.1.5
    198.6.100.38
    -One or more of the following areas do not include delegation to its child zone:
    XXXXX
    . (the root zone)
    XXXXX = domain
    Also the listed IP addresses have been changed.

    I worked on this computer for about 2 days, and then the user is able to work remotely with a server terminal server, they will need access to the server later.

    Reset the network device - completely.  Uninstall the network driver and have someone there install the latest manufacturer.

    Manually enter the DNS information for the DNS servers of your company on the computer - even if it uses DHCP.

    Make sure that its time/time zone is the same as your DNS server.

    Reset all default HOSTS file.

    Ping the DNS server.

    When you join - use the FQDN (mycompany.local, etc..)

  • Definition of domain DNS client VPN

    This seems to be a simple question, but I have difficulty finding an answer. Connect to a VPN 3000 using the client VPN Cisco 4.0. Is there a setting that I can do on the 3000 that will set the domain name DNS on the client. I have it plugged into the hub and he gave me an IP address, the list of list of WINS servers, DNS servers,... but it has not defined the domain name for the connection. Is this possible?

    Thank you

    Greg

    Configuration - users - groups - Client Config - default domain name management

  • Issue of domain PC ISE

    I'm trying to figure out how to grant access to users based on user authentication and computer accounts. I am trying to configure our ISE so that if a user on our domain connects to wifi it will check to see if the PC they reliant is a member of our domain. If the computer is a member of the domain they get full access to our network. If they are not members of our field, that they will be in one vlan different that only has access to the Internet. Finally, I would like to have a group in active directory for computer accounts that are allowed on the wifi. Is a facility such as this? I've tried a few things and I can't do the part of computer account to work.

    Sent by Cisco Support technique iPhone App

    Hi Eric,.

    We can create different rules in the authorization policies according to the your scenarios. You ask we can configure the following rule

    Step 1

    : Front of user enetering their powers... machine will be authorized to access when the machine starts

    iselabin.local:ExternalGroups is Domain computers

    Step 2

    : The user will enter the credentials and will receive access allowed because of rule 2.

    Access network: WasMachineAuthenticated == True

    AND

    iselabin.local:ExternalGroups is Domain users

    You must also pass by the MAR that you use the user authentication + Macine. Here is the link for the same in which you can find the article Mar:

    http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354105.

  • Former (incorrect) host names remain in the DNS system on the new unique domain

    Hello.

    Months ago, we have merged a few areas in a new and unique area. We have three domain controllers (Windows 2008 R2) and all work DNS. DNS is integrated with Active Directory.

    I was just poking around today and noticed that the old host of an old domain DNS names. I deleted the folders, but they just come back. These computers were recreated, to my knowledge, there should not be any residual information from the old domain on computers.

    I run nslookup and checked for the old servers DNS, but the only one of the name servers that are found are the three new DC, as expected. I also connected on each domain controller and delete records on each, thinking that maybe the records have been replicated throughout the domain.

    I don't have any idea how these folders are created. Can anyone offer insight? It drives me crazy!

    Thank you very much.

    Post in the Windows Server Forums:
    http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer/

  • ISE using 2 domains with knotted confidence

    Hello

    I need authenticate users of network wireless from two different domains

    ABC.Company.com

    CDE.Company.com

    There is a trust between the domains and ISE joined abc.company.com and it can authenticate and authorize users without problems.

    Cde.company.com users cannot be authenticated (I don't get not yet part of the authorization).

    My list of source of identity has only external ID listed and when I see what is the cause of the failure, the message indicates that the authentication failed (no permission) because the user is not found in any listed identity.

    Now, users from abc and cde companies connect with their user names only. Should they try to connect with cde.company\username or something?

    Did anyone done this before?

    Thank you.

    Hi you can check logs of ad after seeing them in trace mode. Also check the type approval and make sure that it is set to outside.

    Sent by Cisco Support technique Android app

  • ISE 1.2 Active Directory issue

    Hello

    I have a question about the use of Active Directory as a Source of external identity.

    Our client has 4 servers in their field and so 4 DNS entries for the domain. When I join ISE domain DNS resolves an address and use this machine to perform the join operation. What happens if the machine breaks down afterwards - my node ISE should leave and then re - join the domain or is managed by another method?

    Thank you

    Alan

    Assuming that they are part of the same domain ISE ad will learn all the domain controllers in the domain and you'll probably find after a while that it attributed to a different domain controller. We have more than 100 DCs in our area and it works fine, no intervention is required so that it can connect to a different domain controller so that it connected to disappears.

  • VCS - C VCS-E DNS

    Dear,

    I have two VCS-E and VCS - C and I followed the VCS - C and E Deployment guide please help me with the following:

    1. in the SCV DNS deployment guide - area E string model ((?. * @% localdomains%.*$).*) what should I use instead of localdomain?) What is the domain DNS record?

    2 - I did everything as the guide suggested, but I do not understand the DNS part can anyone briefly explain it to me, or give me an example, because I want units to be able to call me from outside and im not a expert in DNS, please help

    If you have any SIP domains configured on your highway?  You can leave % localdomains % as it is, as that will match all SIP domains configured on your Expressway.  If you do not have any installation areas SIP, to replace it by whatever your field.

    Insofar as the DNS records, I guess you're talking about SRV records?  If so, see some of the discussions in the forums below.

    VCS-Expressway-and-Endpoint-DNS-Registration

    VCS-Expressway-cluster-DNS-SRV-Records

    DNS-SRV-record-issue-VCS-Expressway

    Essentially, you have an a record for your Expressway which will be that it is COMPLETE, and on your external domain, you create SRV records for each type of service that point to this FQDN Expressway.

  • Change of domain in the CTS Manager invalidate the license?

    I need to change the field used in the existing CTS-Manager, but I'm afraid that if I do so, the license will be becomes invalid and CTS - Man will be unusable until I can get a new permit. Will be invalid license if I changed the domain?  I know that I need to import the LDAP server certificates and exchange news, but I want to assure you that I do not lose the license. I couldn't find the answer in the documentation. Help, please.

    Thank you

    Tony

    Tony:

    CTM is installed on a physical server or VM Ware?

    On your question - change the domain name on the CTS Manager will change the MAC license, which would be non - I just tried to change only the domain name on my MC in the laboratory, and after it restarted, the MAC license remained unchanged.

    If you change the DNS servers, however, the MAC license will change - seen elsewhere on the field and in my lab.

    As a general rule:

    On a CTM installed on a physical server license MAC will not change if you change the name of domain/DNS.  It must always be the same.

    On CTM as VM, MAC license will only change if you change some settings.  The MAC license is generated according to certain parameters, so if you change those, MAC license will change accordingly.

    I still need to find a specific list to the Community trade mark as to what will change the license MAC, but it should be similar to the list of items found on the side CUCM:

    http://www.Cisco.com/en/us/partner/docs/voice_ip_comm/CUCM/rel_notes/8_0_1/Delta/VMware.html#wp1054450

    HTH-

    Tina

  • Using vm as DC, DHCP and DNS

    Can I configure vm to use my controller domain, DNS and DHCP servers?

    If so, how can I statically assign my choice for my DNS and DHCP IP?

    Can I configure vm to use my controller domain, DNS and DHCP servers?

    Yes.

    If so, how can I statically assign my choice for my DNS and DHCP IP?

    Just change the network settings of the virtual machine within the guest OS and assign parameters in the appropriate subnet. You can also consider turning off the service DHCP from VMware. With VMware Workstation in place, it is much easier, since you can add additional virtual networks and enable/disable DHCP for each virtual network separately from the GUI.

    André

  • AD domain multiple access

    We are a Windows 2 k 3/2 k 8 and shop VDI View 5.0.1, having recently taken over a sister agency with their own AD domain. We would like to set up our view environment to allow this new group to connect to their own AD domain within our VDI environment. We have recently set up a trust AD successful between the two primary AD domains. Given that this trust has been created, I now see a red alert in my view of dashboard the IUG view under "other components\Domains".

    Red status...

    • "The trust relationship could not be determined."
    • "Error detected domain status. Administrator display is unable to perform operations related to the field. »

    However, outside of the view, access of trust on the workstations within each area properly. In addition, the view client does not allows you to select a different domain.

    What else do I need to do in the many components of the view to allow access of the VDI in this another AD domain?

    Thanks in advance...

    Scott

    Hillsborough County SA


    You may need to add the Domain NETBIOS name and the FQDN field via the vdmadmin utility:

    Open a command prompt of your servers from brokers/connection and run the following commands:

    vdmadmin-N fields-include - domain domain the domain to add FULL name - add

    Output should look like this: "full domain FQDN name has been added to the list for inclusion to the cluster."

    vdmadmin-N fields-include - domain Domain NETBIOS add name - add

    Output should look like this: "the Domain NETBIOS name has been added to the list for inclusion to the cluster."

    vdmadmin - N-domains-list - active

    Output should be something like this:

    Domain information ()

    ===================================

    Main area: FULL domain name domain name

    Domain: NETBIOS domain DNS:FQDN domain name

    Domain: NETBIOS domain DNS:FQDN domain name

    Domain: NETBIOS domain DNS:FQDN domain name

    Thank you

    Jason D.

  • [Fixed] VMware Workstation 9 y Servidor DNS no's are very well

    Hola, buenas tardes

    The topologia siguiente Tengo para hacer the tests:

    + 1 domain DNS Controlller y Servidor con Windows 2008 R2 Seerver
    + 1Servidor as lo quiero para hacer con laboratorios Lync, Exchange, etc. also use con w2k8 R2
    + 1 client that can be o XP Win7

    Todas estas maquinas estan in Vmware Worsktation 9.

    Activar el ActiveDirectory Despues y el Dc promote a dominio (dcpromo) or el servidor or los clients entran en dominio. No Hay than say that it con otro soft virtualizacion no tengo problemas.

    In el virtual netowrk Editor... Lo tengo, como todos y host only quitado el dhcp is that van con todos out of ip.

    MUCHAS gracias y Saludos

    Hola,

    Échale a vistazo a esto:

    http://www.Petri.co.il/fixing-Windows-cannot-connect-to-the-domain-errors.htm

    Can you sea ayuda

    Saludos,

    Pablo.

  • Duplicate DNS computer names

    Hello

    We currently view assessment 4.6 and I'm having some problems with DNS/computer name when view creates a new machine in a pool

    When I use linked Clones, it works very well that each new machine that gets put in service has the following name in order, both the DNS and a machine virtual.

    When I install a pool for full virtual machines, saw him gives a single VM in vCentre name, but the same DNS name as the machine of model (and the first virtual machine in the pool) that means I need to rename the new machine and then join the first machine back to the domain, DNS because think that there is more.

    I'd love to use only the linked Clone machines, but a vital request we have (a database Ingres) refuses to work on related clones, but she is very happy on complete machines.

    Hope this makes sense and someone can help

    Thank you

    Dave

    With full clone provisioning you will use a custom Spec which is defined in vCenter Server.

    Change this custom specification and set the VM as 'Use Virtual Machine name' hostname

    This will solve your problem

  • Mobile environment to the new Windows domain

    We are moving our environment to a new Windows domain. Of course, it is a change in working capital, so some servers/clients will be moved while for once, others will remain. I'm looking for advice on when should I change the new domain VMware hosts, but also the Virtual Center. Do I have to have all guest operating system moved into the new field, before moving the hosts VMware and virtual center? I know it's a DNS issue that issue area... the new domain using different IP addresses for the DNS as the old.

    You can simply configure a DNS zone in the new field that passes to the DNS servers of the old domain, or create records for the esx hosts in the new DNS domain before you migrate their?

    Guests will work regardless of the host servers as long as they can see the appropriate domain / DNS servers, so you should be able to make them as and when you need.

    Kind regards

    Scott

  • Planning of the names of the dns infrastructure and host esx (FQHN)

    Greetings,

    We plan our virtual environment for ESX 3.5 on IBM xSeries hardware. The environment will be made up (initially for short term) of two ESX host machines and a server that is running Microsoft Windows Server 2003 for virtual center and VCB to backup proxy functions. My questions and concerns, consider installing the management network and the host names of the servers themselves.

    I want to ensure the safety of the ESX servers and management functions by choosing a servo for all ESX hosts IP subnet and the virtual Center. Anyone done this? The back of the draw are more limited communication with the "machines" or more complicated infrastructure network that you need to add an interface on a router or an internal firewall for proper computers can access the host ESX and virtual Center. - What someone else? Are there better ways?

    I also have questions about a naming convention good/responsible for all vmware hosts. We have example.com as a public domain. Someone also created a domain in active directory (who did not understand what they were doing) in the same domain, so my structure active directory looks like "host.example.example.com" - silly, I know. I guess that it is more appropriate to not place ESX or other host vmware in the same logical domain/dns as members active directory. While the leaves creating a separate field or using the public domain from example.com (esx.example.com). I thought for security and separation, it may be more appropriate to use "esx.example.local". This command removes any way for virtual infrastructure mingle in the public domain. All comments, thoughts, carries on this?

    I also intended to appoint guests something like the following: ESX1.something.tld, ESX2.something.tld, etc. and virtual center something like VC.something.tld. Since virtual center needs to be a member of active directory to allow the mapping to user accounts, those who cause any issies with the ESX host with different domain names complete? Are there other ways to connect to active directory without being a domain member machine? Is anyone doing or having problems with it from a security point?

    ccandia wrote:

    fhrivers,

    Thank you. I suppose that by 'local management LAN', you hear the internal local production lan do you use?

    We actuallu use 2 subnets now, private, internal, and a DMZ for guests in public (although it's hard to keep everything under this distinction more). I assume that your recommendation is just to meet the host ESX and virtual center under the internal local subnets, even as the other hosts internal and access control on virtual Center allows to regulate access to the VI3. Certainly address more easily. You have concerns the fact that VC is running on a windows platform and is therefore vulnerable as such? I was trying to come up with a good armor for VC. I guess that windows firewall is always an option, or stop the services and other standard precautions. What is your opinion of securing virtual Center?

    You're right, I want to talk about the normal subnet that all servers and users are connected to.  This works in my environment, but may not work in environments more serious questions of internal security.

    I actually run VCenter as a virtual machine in a HA cluster to eliminate the scenario of hardware failure, but I do not see why the vCenter running Windows makes it more vulnerable than any computer on your network.  Like any other essential service, I would make sure that running the server vCenter vCenter only and that essential services only run including a client anti-malware.  I tend to take an approach more inside-out security and not an outside in approach.  I'm more concerned with security at the application layer to the edge of the network.  Again, which works best for my environment.

Maybe you are looking for