Solved: ISE HA and CA deployment without a DNS server

yfukudom · ‎02-09-2016

Could someone let me know any notice to take prior to ISE deployment in HA, where no DNS server is deployed?

ISE is also expected to publish client certificates for EAP-TLS auth.

yfukudom · ‎02-18-2016

Thanks a lot for comments, folks.

Finally, after installing the certification of secondary ISE server on client hosts, it has worked.

View solution in original post

Aaron Woland · ‎02-09-2016

I'm very confused by your query..

What does EAP-TLS auth have to do with DNS?

Please see my blog post on how certificate authentications work here: http://www.networkworld.com/article/2226498/infrastructure-management/simply-put-how-does-certificate-based-authentication-work.html

Is your concern about querying the OCSP service?

Always keep in mind that DNS is a mission-critical application for networking, in general. It will be needed for Active Directory - even simple web browsing.

-Aaron

yfukudom · ‎02-09-2016

The partner who is asking deploys closed/separated LAN for hospitals as design, where there has been no DNS/AD server, from cost-reduction perspective.

-Dome

Aaron Woland · ‎02-09-2016

So the endpoint has NO DNS resolution. That still won't effect the EAP-TLS authentication. It WILL however, impact all advanced services that use URL redirection - (WebAuth, GUEST, MDM, etc.). Are those type services being deployed?

-Aaron

yfukudom · ‎02-09-2016

There are only web/application/DB servers and file servers inside the LAN. All hostnames needed to be resolved by client hosts are written in local hosts file.

(Updates)

A partner is building up this environment for a testing required prior to proposal, but has been facing to an issue when shutting down the primary ISE, expecting the secondary one takes over all roles of primary one. While shutting down the primary, no EAP-TLS authentication is succeeded as the partner claims. Some consideration in ISE configuration seems to be needed and any comments would be greatly appreciated.

Cory Peterson · ‎02-10-2016

You can get around the DNS/FQDN requirement in ISE HA by using the ip host configuration command in the ISE CLI. It will require a restart of the ISE services anytime you add host.

In config mode the command is "ip host A.B.C.D ISE-PAN01.example.com"

yfukudom · ‎02-11-2016

Thanks for your comment.

I have received a screenshot of the ISE HA status adding to my question, and would like to know another steps to troubleshoot as HA itself seems good.

hslai · ‎02-17-2016

Are you able to recreate this issue in your own lab?

No DNS in a deployment is not well supported. DNS can run on a royalty-free Linux or BSD so it would not cause the customer or partner much extra. ISE PoV kit includes a VM to run common network services.

yfukudom · ‎02-18-2016

Thanks a lot for comments, folks.

Finally, after installing the certification of secondary ISE server on client hosts, it has worked.