Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
1
Helpful
5
Replies

DNAC-ISE Integration in Assurance Mode

mohamed_afarrag
Level 1
Level 1

‎12-22-2024 04:25 AM - edited ‎12-22-2024 04:26 AM

Hello,

We need to Integrate between DNAC and ISE in Assurance deployment "Not SDA" so in that case the ISE will be configured on DNAC in Authentication and Policy Servers.

In the assurance mode The ISE should be added as ISE or AAA Server?

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎12-22-2024 05:15 AM

@mohamed_afarrag 

I recommend this guide. See the ISE part

 

  • You must enable communication between Cisco DNA Center and Cisco ISE on the following ports: 443, 5222, 8910, and 9060.

  • The Cisco ISE host on which pxGrid is enabled must be reachable from Cisco DNA Center on the IP address of the Cisco ISE eth0 interface.

  • The Cisco ISE node can reach the fabric underlay network via the appliance's NIC.

  • The Cisco ISE admin node certificate must contain the Cisco ISE IP address or FQDN in either the certificate subject name or the Subject Alternative Name (SAN).

 

 https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center-assurance/2-3-5/b_cisco_dna_assurance_2_3_5_ug/b_cisco_dna_assurance_2_3_3_ug_chapter_011.html#id_110261 

ammahend
VIP Alumni
VIP Alumni

‎12-22-2024 10:17 AM - edited ‎12-22-2024 10:17 AM

If you want to exchange information between ISE AND Catalyst center even without SDA you should  add as ISE for e.g you want to configure trustsec policy matrix or SGTs through DNAC and populate the policy on ISE.

if you just want to configure your devices with AAA server and point them to ISE but not really want to exchange information with ISE, you can add it as AAA Server.

I would recommend add ISE as ISE in Catalyst center. 

 

-hope this helps-
0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee

‎12-23-2024 09:00 AM

The biggest advantage of ISE Integration for Non-SDA deployments is that it allows you to search for client usernames in the main Catalyst Center search box, instead of IP or Macs (which can sometimes be a pain to even get from the user who might not even know what an IP address is).  This also requires dot1x authentication to be uses on the access ports where wired clients connect.

 

 

0 Helpful

mohamed_afarrag
Level 1
Level 1

‎12-26-2024 03:32 AM

Many thanks all for participating in this valuable discussion, if we will add it on DNAC as ISE, regarding the ISE username should be the default admin username or it can be any account with admin privilege? @Preston Chilcote @ammahend @Flavio Miranda 

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee

‎01-02-2025 09:30 AM

@mohamed_afarrag If your ISE is up to date, you should be able to use any account with admin privilege.  If you aren't running an ISE version with the fix for

CSCwf79582 - AD Credentials Fail to Integrate Cisco ISE with 2.2.1.x and above

Then there could be some issues.

 

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card