topic Re: ISE DNAC PXGRID requirements in Network Access Control

ISE DNAC PXGRID requirements

mpeeters — Fri, 21 Feb 2020 19:04:13 GMT

If a customer is planning to use ISE in their environment as a TACACS+ server, and DNAC for assurance and image management. Will they need pxgrid and a pxgrid node to support that functionality?

Re: ISE DNAC PXGRID requirements

hslai — Fri, 29 Mar 2019 22:12:01 GMT

The pxGrid services are not required, if customers using ISE as RADIUS/T+ servers but not using its integration with DNAC for the work flows of group-based policies or related, and if not configuring Assurance to collect data from ISE.

Re: ISE DNAC PXGRID requirements

Damien Miller — Sat, 30 Mar 2019 15:46:30 GMT

Adding to hslai's comment, even if you need pxgrid functionality based on the use case (which is nice to have with assurance), this could be collocated on an existing node. Depends on the design and scale, you might not need a dedicated pxgrid node is all.

Re: ISE DNAC PXGRID requirements

mpeeters — Sat, 30 Mar 2019 16:13:00 GMT

I am not clear as to what is the use case for any information dna assurance would gather from ISE via PXGRID. Would you provide some context of what would be lost if there was no ise dna assurance pxgrid linkage.

Re: ISE DNAC PXGRID requirements

mpeeters — Sat, 30 Mar 2019 16:16:22 GMT

I understand that there is a pxgrid exchange of data for Trustsec aspects. What would be the benefits of pxgrid between dnac and ise if trustsec is in play.

Re: ISE DNAC PXGRID requirements

Damien Miller — Sat, 30 Mar 2019 16:52:46 GMT

I've never played with assurance without ISE integration so I can't be 100% on what would be missing. It was my understanding thay ISE shares user and machine information it learns via pxgrid integration. Seeing as there are other ways to get user information from switches and WLC's maybe DNA can pull this through alternate means. I've seen machine OS in assurance which you wouldn't get from anywhere but ISE.

For now I would plan on integrating with ISE if it's authenticsting users in the environment, it takes little time. If someone knows different I'm keen on hearing it.

Re: ISE DNAC PXGRID requirements

hslai — Sat, 30 Mar 2019 21:37:37 GMT

I believe you are correct that the pxGrid use for DNAC is on scalable groups. DNAC also uses ERS to get data from ISE.

Re: ISE DNAC PXGRID requirements

Aravind Ravichandran — Mon, 01 Apr 2019 06:40:45 GMT

If a customer wants to use ISE as TACACS+ server, DNA-c & ISE integration will automate the Network device on-boarding(Addition) in ISE with shared secret via ERS services during the discovery phase.

Please refer to this document, if the customer needs only Assurance. ISE integration with DNA Assurance is optional. However, with ISE integration, Assurance gets usernames of the clients.

-Aravind

Re: ISE DNAC PXGRID requirements

Mike.Cifelli — Mon, 01 Apr 2019 11:52:24 GMT

In my opinion, the main benefit of integrating dnac & ise via pxgrid is the automation aspect in regard to network policy and the ability to centrally manage it all via dnac. Integrating the two will allow you to easily manage your CTS configuration including access contracts, SGTs, host on-boarding, & ip access control policies (L4 SGACLs). All of this information will be shared/imported to ISE using the pxgrid connection. As mentioned by others it is fairly easy and straight forward to configure. I agree with @Damien.Miller, if you are authenticating users into the environment I would connect the two platforms. I do not see/know of benefits from keeping the two separate.