07-28-2020 12:53 AM
Hello,
In an ongoing project our customer needs to integrate the DNA deployment with 2 separate ISE deployments : one is specific to the guest wireless use case.
Is it possible to integrate DNA with two ISE deployments ? If so, how can we configure DNA to push devices and SGTs only on one ISE, and push different ISE configurations to devices based on use cases (for instance push the "regular" ISE deployments to switches, but push both to the WLC, and then on the WLC configure most SSIDs with the primary deployment and use the secondary for the guest) ?
If this is not supported by DNA, could it be done with templates pushed from DNA ?
Thanks,
Have a nice day.
07-28-2020 01:01 PM
You cannot integrate DNA Center with multiple ISE instances. However, on DNAC you can integrate the ISE instance as an ISE server then add the second ISE instance as a traditional AAA server.
07-28-2020 11:14 PM
Thanks, and do we have a way to tell DNAC for which use case to use which server ?
07-31-2020 01:54 AM - edited 07-31-2020 01:56 AM
Hi Tom, at this moment, when customers want to use a second ISE cluster specifically for fabric wireless guest access, they manually change the RADIUS servers on the guest SSID in the fabric WLC to point to the other/second guest ISE cluster. At this precise moment the push of a second ISE cluster PSN IPs is not automated by DNAC. The manual addition of PSN RADIUS servers to the fabric wireless guest SSID is considered an SDA design exception since you are bypassing the DNAC automation. Please engage with your Cisco SE/AM/CX contact to get the exception approved. In future we will be automating it through DNAC, but for now it's a manual process. Best regards, Jerome
02-15-2023 12:08 AM
Hello
any hints on have the subject been improved since 2020?
02-15-2023 10:29 PM
In the DNAC UI we can set AAA servers per SSID, this is true for both Fabric-Enabled Wireless and non-Fabric wireless. These "extra" AAA servers are not integrated to DNAC however, so if there's SGACLs and Group-Based Policy that will need to continue to reside on the ISE cluster integrated to DNAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide