https://community.cisco.com/t5/software-defined-access-sd-access/trouble-adding-ise-server-in-network-settings/m-p/5356532#M4247 <P>key point there is "ISE or AAA". looking at your move "<SPAN>to add a AAA server" i guess you missteered somewhere.<BR />bc with 1st stages of integration u made DNAC must be communicated by PAN with configured policy servers u must choose as such. I didnt touch SDA for about year so i have to look in live deployment to steer u in proper direction. w/o promises to be asap</SPAN></P> Fri, 19 Dec 2025 16:51:19 GMT Andrii Oliinyk 2025-12-19T16:51:19Z https://community.cisco.com/t5/software-defined-access-sd-access/trouble-adding-ise-server-in-network-settings/m-p/5356529#M4246 <P>Hello all,</P><P>I'm doing the CCIE Practice Labs so I can get practice with SDA. One of the first things I'm doing in SDA is the integration of DNAC with ISE (in the lab, the DNAC is version <STRONG>2.3.5</STRONG>). The integration works fine, and during the integration I use the&nbsp;<STRONG>Advanced Settings</STRONG> to check both the&nbsp;<STRONG>Radius</STRONG> and&nbsp;<STRONG>TACACS</STRONG> checkboxes, since I want this ISE server to be used for both endpoint authentication and switch authentication.</P><P>After the DNAC/ISE integration I do the Policy migration, which also works great.</P><P>So at this point, in <STRONG>System &gt; Settings &gt; External Services &gt; Authentication and Policy Servers</STRONG>, I have an ISE server defined there, with an IP address and Protocol =&nbsp;<STRONG>RADIUS_TACACS</STRONG> and Type =&nbsp;<STRONG>ISE</STRONG> and Status =&nbsp;<STRONG>ACTIVE</STRONG>. So all seems well.</P><P>I then go to <STRONG>Design &gt; Network Settings</STRONG>&nbsp;to add a AAA server (i.e.&nbsp;<STRONG>Add Servers &gt; AAA</STRONG>) to the <STRONG>Global</STRONG> area. I check both the&nbsp;<STRONG>Network</STRONG> and&nbsp;<STRONG>Client/Endpoint</STRONG> checkboxes, and then I start configuring the <STRONG>Network&nbsp;</STRONG>section first.</P><OL><LI>Under the <STRONG>Network &gt;&nbsp;</STRONG><STRONG>Servers</STRONG>&nbsp;heading, I click the&nbsp;<STRONG>ISE</STRONG> radio button since the server I added above is of Type = ISE, and I select my ISE IP address from the drop-down menu.</LI><LI>Under the&nbsp;<STRONG>Network &gt;</STRONG>&nbsp;<STRONG>Protocol</STRONG> heading, I click the&nbsp;<STRONG>TACACS</STRONG> radio button since I want my network authentication to use TACACS. HOWEVER, when I click the&nbsp;<STRONG>IP Address (Primary)</STRONG> drop-down menu to select my ISE IP address, there are no IP addresses available to select. If I change the protocol to&nbsp;<STRONG>RADIUS</STRONG> instead, I do get an IP address available in the drop-down, but I don't want to use RADIUS, I want to use TACACS for this <STRONG>Network</STRONG> part. (Additional info - underneath the <STRONG>IP address (Primary)</STRONG> drop-down box, it does have text that says&nbsp;<STRONG>(Only device administration nodes)</STRONG> ).</LI></OL><P>I'm confused by the end of Step 2 above, where there are no IP addresses available in the&nbsp;<STRONG>IP Address (Primary)</STRONG> drop-down menu when I try to add a AAA server and use TACACS for the Network section. What do I need to do to get an IP address listed in this drop-down for selection?</P><UL><LI>Looking at the <A href="https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-5/user_guide/b_cisco_dna_center_ug_2_3_5/m_configure-network-settings.html#add_ise_or_other_aaa_servers" target="_self">DNAC 2.3.5 guide</A>, it says:<UL><LI><TABLE border="0"><TBODY><TR><TD><P><STRONG>Step&nbsp;6</STRONG></P></TD><TD><P class="">Choose the<SPAN>&nbsp;</SPAN><SPAN class="">Servers</SPAN><SPAN>&nbsp;</SPAN>for authentication and authorization:<SPAN>&nbsp;</SPAN><SPAN class="">ISE</SPAN><SPAN>&nbsp;</SPAN>or<SPAN>&nbsp;</SPAN><SPAN class="">AAA</SPAN>.</P><UL><LI><P class="">If you choose<SPAN>&nbsp;</SPAN><SPAN class="">ISE</SPAN>, configure the following:</P><UL><LI><P class="">From the<SPAN>&nbsp;</SPAN><SPAN class="">Network</SPAN><SPAN>&nbsp;</SPAN>drop-down list, choose the IP address of the<SPAN>&nbsp;</SPAN><SPAN class="">Cisco ISE</SPAN><SPAN>&nbsp;</SPAN>server. The<SPAN>&nbsp;</SPAN><SPAN class="">Network</SPAN><SPAN>&nbsp;</SPAN>drop-down list contains all the IP addresses of the<SPAN>&nbsp;</SPAN><SPAN class="">Cisco ISE</SPAN><SPAN>&nbsp;</SPAN>servers that are registered in<SPAN>&nbsp;</SPAN><SPAN class="">System Settings</SPAN><SPAN>&nbsp;</SPAN>on the<SPAN>&nbsp;</SPAN><SPAN class="">Cisco DNA Center</SPAN><SPAN>&nbsp;</SPAN>home page. <STRONG>Selecting a&nbsp;<SPAN class="">Cisco ISE</SPAN>&nbsp;IP populates the primary and additional IP address drop-down lists with Policy Service Node (PSN) IP addresses for the selected&nbsp;<SPAN class="">Cisco ISE</SPAN>.</STRONG> You can either enter an IP address for the AAA server or choose the PSN IP address from the<SPAN class=""><SPAN>&nbsp;</SPAN>IP Address (Primary)</SPAN><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN><SPAN class="">IP Address (Additional)</SPAN><SPAN>&nbsp;</SPAN>drop-down lists.</P></LI></UL></LI></UL></TD></TR></TBODY></TABLE></LI></UL></LI><LI>&nbsp;</LI><LI>However, in my case, Selecting the Cisco ISE IP in the&nbsp;<STRONG>Network</STRONG> drop-down menu does not populate anything in the <STRONG>IP Address (Primary)</STRONG> drop-down menu.</LI></UL> Fri, 19 Dec 2025 16:42:03 GMT https://community.cisco.com/t5/software-defined-access-sd-access/trouble-adding-ise-server-in-network-settings/m-p/5356529#M4246 vv0bbLeS 2025-12-19T16:42:03Z https://community.cisco.com/t5/software-defined-access-sd-access/trouble-adding-ise-server-in-network-settings/m-p/5356532#M4247 <P>key point there is "ISE or AAA". looking at your move "<SPAN>to add a AAA server" i guess you missteered somewhere.<BR />bc with 1st stages of integration u made DNAC must be communicated by PAN with configured policy servers u must choose as such. I didnt touch SDA for about year so i have to look in live deployment to steer u in proper direction. w/o promises to be asap</SPAN></P> Fri, 19 Dec 2025 16:51:19 GMT https://community.cisco.com/t5/software-defined-access-sd-access/trouble-adding-ise-server-in-network-settings/m-p/5356532#M4247 Andrii Oliinyk 2025-12-19T16:51:19Z https://community.cisco.com/t5/software-defined-access-sd-access/trouble-adding-ise-server-in-network-settings/m-p/5362106#M4289 <P>When you are adding an ISE node to use for TACACS in DNAC, in ISE you need the "Enable Device Admin Service" checkbox marked under where you enable the Policy Service on the ISE node. At my current organization we have a multi node ISE deployment and in DNAC you can only choose the IP addresses of only the nodes with that service enabled for TACACS. It's also good to note that in order to enable that service on the ISE node, you also need the TACACS license for that node. Hope this helps!</P> Fri, 16 Jan 2026 12:10:11 GMT https://community.cisco.com/t5/software-defined-access-sd-access/trouble-adding-ise-server-in-network-settings/m-p/5362106#M4289 barryjm 2026-01-16T12:10:11Z