Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
830
Views
0
Helpful
1
Replies

DNAC/CatC and ISE - What does DNAC do and what do you have to do?

bfbcnet
Level 1
Level 1

‎12-23-2024 02:02 AM

Hi,

So first this is NOT a question about integrating ISE and DNAC / CatC. It is about after that.

The most confusing thing I have found is understanding what CatC will setup for you on ISE and what you need to configure on ISE yourself. I have not been able to find much documentation on this, so any pointers would be appreciated.

So far I have that CatC will setup in ISE for you:

-Group based policy

-Network device entry adds and deletes when you provision the device in CatC

-If you have Wi-Fi that you want to use an ISE portal with, then CatC will setup the Portal and policy on ISE in the default radius policy area.

Stuff that I think you have to setup yourself (but am not sure).

-If you are doing SD-A, then the polices for Dot1x and MAB, with needed authentication profiles to map to the appropriate VN's.

-TACACS policies to allow CLI access to network devices.

-Anything else

I am not sure if we are missing something or some documentation.

While on the topic of SD-A and VN authentication, there seem to be two ways in the authorization profiles to achieve this. Either:

-‘Security Group’ where you select a VN from the drop down

-‘VLAN’ Where you manually enter the number of the VLAN id associated with the VN

What does not help with the confusion of which to use, is we first started with ‘Security Group’ after reading the below:

https://community.cisco.com/t5/networking-knowledge-base/cisco-ise-configuration-for-onboarding-hosts-in-cisco-sd-access/ta-p/4106696

Then we hit a bug where a vital ISE process would crash if this method was used. Cisco TAC recommended using the ‘VLAN’ setting instead, but were not super clear about if this was just temporary until the bug was fixed or if that is what we should have been doing from the start.

Anyway an clarification or documentation pointers for the above would be much appreciated.

Labels:
0 Helpful
1 Reply 1

Preston Chilcote
Cisco Employee
Cisco Employee

‎12-23-2024 01:50 PM

For your first part, I think your list is spot on.  I can't think of anything else that you missed. There's one other advantage of the integration, though it's not exactly an ISE configuration: ISE and Catalyst Center will share Endpoint analytics information to enhance the information gleaned and displayed about endpoints in the network.

 

for the second part, both methods work.  I suggest using the method that simplifies the deployment the most for you and maybe more importantly, for others to come along later and understand your logic of authorization and SGT assignment.  To many that means the first method, (I believe this is the more common strategy), which allows you to see the assigned SGT on the same screen as the authorization conditions, without having to lookup the details on the authorization profile.

I'd love to hear others chime in for their reasons for choosing to define SGTs in the authorization profile instead.

 

0 Helpful
Customers Also Viewed These Support Documents