02-09-2016 01:29 PM
Could someone let me know any notice to take prior to ISE deployment in HA, where no DNS server is deployed?
ISE is also expected to publish client certificates for EAP-TLS auth.
Solved! Go to Solution.
02-18-2016 12:06 AM
Thanks a lot for comments, folks.
Finally, after installing the certification of secondary ISE server on client hosts, it has worked.
02-09-2016 03:13 PM
I'm very confused by your query..
What does EAP-TLS auth have to do with DNS?
Please see my blog post on how certificate authentications work here: http://www.networkworld.com/article/2226498/infrastructure-management/simply-put-how-does-certificate-based-authentication-work.html
Is your concern about querying the OCSP service?
Always keep in mind that DNS is a mission-critical application for networking, in general. It will be needed for Active Directory - even simple web browsing.
-Aaron
02-09-2016 03:30 PM
The partner who is asking deploys closed/separated LAN for hospitals as design, where there has been no DNS/AD server, from cost-reduction perspective.
-Dome
02-09-2016 03:34 PM
So the endpoint has NO DNS resolution. That still won't effect the EAP-TLS authentication. It WILL however, impact all advanced services that use URL redirection - (WebAuth, GUEST, MDM, etc.). Are those type services being deployed?
-Aaron
02-09-2016 03:43 PM
There are only web/application/DB servers and file servers inside the LAN. All hostnames needed to be resolved by client hosts are written in local hosts file.
(Updates)
A partner is building up this environment for a testing required prior to proposal, but has been facing to an issue when shutting down the primary ISE, expecting the secondary one takes over all roles of primary one. While shutting down the primary, no EAP-TLS authentication is succeeded as the partner claims. Some consideration in ISE configuration seems to be needed and any comments would be greatly appreciated.
02-10-2016 07:13 AM
You can get around the DNS/FQDN requirement in ISE HA by using the ip host configuration command in the ISE CLI. It will require a restart of the ISE services anytime you add host.
In config mode the command is "ip host A.B.C.D ISE-PAN01.example.com"
02-11-2016 04:43 PM
Thanks for your comment.
I have received a screenshot of the ISE HA status adding to my question, and would like to know another steps to troubleshoot as HA itself seems good.
02-17-2016 12:33 PM
Are you able to recreate this issue in your own lab?
No DNS in a deployment is not well supported. DNS can run on a royalty-free Linux or BSD so it would not cause the customer or partner much extra. ISE PoV kit includes a VM to run common network services.
02-18-2016 12:06 AM
Thanks a lot for comments, folks.
Finally, after installing the certification of secondary ISE server on client hosts, it has worked.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: