Accepted Solutions
Morning All,
Just to add to this, you can add a non-ISE/third-party AAA server to DNAC for authenticating access to DNAC and managed network devices as well as for client/endpoint authentication. Without ISE you will not be able to implement TrustSec for SD-Access and you will lose the automation/creation of network devices in the AAA server during on-boarding and provisioning (you will need to do this manually)
Note regarding SD-Access and TrustSec - you can use a third-party radius server to authenticate and assign SGTs to endpoints using a Cisco-AVPair, however ISE is still needed for Group-Based policy configuration and download to the network devices. See below for further details.
To add a third-party AAA server to ISE, browse to System Settings -> Settings -> Authentication and Policy Servers and then click Add. Enter the AAA server IP address and Shared key and click apply (dont enable Cisco ISE Server). The Shared Key specified here will get pushed to managed devices if you set the AAA server under Design -> Network Settings -> Network
Once the AAA server has been added, it will be available for use under Design -> Network Settings -> Network for both network and client/endpoint authentication as well as under System Settings -> Users for external DNAC authentication.
I have tested using a third-party radius server for DNAC GUI and network device authentication (with radius AVPairs being returned for network device priv-lvl and DNAC GUI role). This was using Free Radius and Microsoft NPS and worked without any issues so shouldn't be any different for ACS. Here we are just using basic radius functionality, but as noted above, we lose all of the advanced features that are provided with the DNAC / ISE integration, including for SD-Access as noted by Mike.
Hope that this helps
Morning All,
Just to add to this, you can add a non-ISE/third-party AAA server to DNAC for authenticating access to DNAC and managed network devices as well as for client/endpoint authentication. Without ISE you will not be able to implement TrustSec for SD-Access and you will lose the automation/creation of network devices in the AAA server during on-boarding and provisioning (you will need to do this manually)
Note regarding SD-Access and TrustSec - you can use a third-party radius server to authenticate and assign SGTs to endpoints using a Cisco-AVPair, however ISE is still needed for Group-Based policy configuration and download to the network devices. See below for further details.
To add a third-party AAA server to ISE, browse to System Settings -> Settings -> Authentication and Policy Servers and then click Add. Enter the AAA server IP address and Shared key and click apply (dont enable Cisco ISE Server). The Shared Key specified here will get pushed to managed devices if you set the AAA server under Design -> Network Settings -> Network
Once the AAA server has been added, it will be available for use under Design -> Network Settings -> Network for both network and client/endpoint authentication as well as under System Settings -> Users for external DNAC authentication.
I have tested using a third-party radius server for DNAC GUI and network device authentication (with radius AVPairs being returned for network device priv-lvl and DNAC GUI role). This was using Free Radius and Microsoft NPS and worked without any issues so shouldn't be any different for ACS. Here we are just using basic radius functionality, but as noted above, we lose all of the advanced features that are provided with the DNAC / ISE integration, including for SD-Access as noted by Mike.
Hope that this helps
