topic Re: DNAC to ISE Integration - SSH in Network Access Control

DNAC to ISE Integration - SSH

ryanbess — Mon, 22 Jan 2024 14:52:42 GMT

We've having some debate internally around when DNAC needs to log into ISE via SSH. In our environment ISE and DNAC are owned by 2 different teams thus we want to limit who knows what credential. What happened was because we learned that the SSH cred and the web cred are actually 2 different credentials (albeit the same username/password at time of install) they are subject to 2 different password policies. In this case the SSH credential expired and forced us to change the credential. In working with some of our Cisco reps, they stated they needed to be the same username/password and DNAC would use SSH. When we updated the SSH password we saw no impact on DNAC so we're wondering why we keep being told to keep them in sync. Hoping this forum can shed some light cause as best i can tell, and per the below, it only needs it at time of initial setup. What are others doing?

Per the below it is documented that DNAC to ISE via SSH is only for the initial config.

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html

see the section called "Cisco DNA Center Outbound to Device and Other Systems"

Re: DNAC to ISE Integration - SSH

balaji.bandi — Mon, 22 Jan 2024 17:45:45 GMT

When you integrating with ISE and DNAC there are 3 parts (SSH is one of them)

when DNA Center (Catalyst center) and ISE are integrated intiallu there is an SSH session that established. That SSH session is used to share the certificates each other. So ISE shares the certificates to DNA Center. DNA Center shares its certificate with ISE.

check below guide :

https://community.cisco.com/t5/networking-knowledge-base/how-to-cisco-dna-center-ise-integration/ta-p/3896410

Re: DNAC to ISE Integration - SSH

Greg Gibbs — Mon, 22 Jan 2024 22:09:32 GMT

The use of SSH as part of the integration process was dropped after DNAC (Catalyst Center) version 2.2.1.0. The entire integration process is now done by the APIs.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_segmentation.html#concept_wvx_cx3_x2b

Re: DNAC to ISE Integration - SSH

ryanbess — Tue, 23 Jan 2024 00:15:52 GMT

So there are 2 documents each published by cisco that are saying different things. The one you referenced (Last updated on August 4, 2020) says SSH isn't needed with DNAC 2.2.1.0. The article i referenced (last updated Jan 22, 2024) says it is needed. Which is correct?

Re: DNAC to ISE Integration - SSH

Greg Gibbs — Tue, 23 Jan 2024 01:48:31 GMT

Unfortunately, the newer document is incorrect. I suspect when that was updated, the table was not corrected. I would suggest submitting feedback on that document to suggest it needs correcting.

Re: DNAC to ISE Integration - SSH

ryanbess — Tue, 23 Jan 2024 02:17:30 GMT

Thanks. Will open a case with TAC and see what they say. So all DNAC needs is an account that has ERS Admin permissions?

Re: DNAC to ISE Integration - SSH

Greg Gibbs — Tue, 23 Jan 2024 03:47:45 GMT

Yes, the ERS Admin account is used for the integration with Catalyst Center.

TAC may also refer you to the feedback link on the document. You can submit feedback on the document directly on the page.

Re: DNAC to ISE Integration - SSH

andrew.butterworth — Tue, 22 Oct 2024 15:03:31 GMT

Does this mean we can create a local account on ISE that is just a member of the ERS Admin group for the integration, rather than using the local admin account?

What about external authentication, or is the ERS API just local authentication?

Re: DNAC to ISE Integration - SSH

ryanbess — Tue, 22 Oct 2024 18:42:10 GMT

Yes that is the expectation.

Re: DNAC to ISE Integration - SSH

andrew.butterworth — Wed, 23 Oct 2024 16:00:36 GMT

I created an admin user (ers-admin) on ISE that is just a member of the "ERS Admin" group and this doesn't work. I just get a message saying 'The Cisco ISE credentials provided are invalid'.

I can successfully login to the ERS admin web service from a PC (https://ise-server:9060/ers/sdk) using the ers-admin account I created.

Re: DNAC to ISE Integration - SSH

DanielLarsson63527 — Mon, 28 Oct 2024 10:10:42 GMT

Hi,

Just wanted to give you a heads up that in the Catalyst Center release cisco has made changes to how the integrations will work for "ERS-admin" and the API-integrations. The documentation *clear* states that you need to be a "Super-Admin" in ISE for integration work, although lot of documentation (including ciscolive presentations) still wrongly states that you just need ERS-admin for it to work.

I have done countless integrations between DNAC/ISE and here is how it actuall works:

... PRE Catalst Center branding release:
-ISE will need SSH cli admin account
-ISE will need GUI super admin account (can be externally authenticated and mapped to AD-groups etc that is mapped to Super-Admin role)

...Catalyst Center release...
-ISE will still need local SSH admin-account to get a "successfull integration" (but it's not really used)
-ISE will need GUI Super Admin role access *but it has to be LOCALLY configured in ISE*

The main difference with GUI account is that cisco changed the way the ERS/API integrations work with ISE in the "catalyst center" relesae so that for some reason you cannot use an externally mapped Super-Admin role in ISE.

That said, you can also skip the SSH Admin CLI account and it will still work (but will generate some cosmetic errors here and there).

Yes you need the GUI local account to be Super Admin (everything else will *not* work regardless of what documentation states, and actually the admin guide for catalyst center also clearly states this!).

Bottom line is, i still see the "catalyst center" release as a form of Beta-release as of now. lot of cosmetic errors, in general vague documentation about how things work .... lot of things changed (example provision jobs, compliance checks etc) for the worse (15 click processes instead of 3 click processes)...

And everyone that has done proper service-account integrations are having issues with the catalyst center release due to what i mentioned above and it being undocumented! So, sadly... @andrew.butterworth you will need that Super Admin account local in ISE.

HTH
-Daniel

Re: DNAC to ISE Integration - SSH

ConteAlmaviva — Fri, 21 Feb 2025 19:28:04 GMT

Sorry to bump this so many months on, but do you know if the requirement for an ISE superadmin account is still the case with CatC 2.3.7.6?

Re: DNAC to ISE Integration - SSH

DanielLarsson63527 — Tue, 08 Jul 2025 13:00:12 GMT

@ConteAlmaviva ,

Hi,

Late reply don't got any notification... but yes, it is still the requirements and i still haven't seen any updated documentation regarding this so i would follow above recommendations if you want it to work long-term.

HTH
-Daniel

P.s - ERSadmin is what cisco still claims is the requirements, but it will do some things that will require "super admin" access to function properly.