Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1847
Views
10
Helpful
5
Replies

Adding DNAC as Network Device on ISE

TH09
Level 1
Level 1

‎11-08-2021 05:30 AM

Hi there,

 

My setup is a three node DNAC cluster running in an SDA architecture. I wanted to use RADIUS instead of TACACS for external device authentications using AD so wanted to check the following,

 

1. Which IPs to add in ISE when adding DNAC as a Network device or all 12?

-DNAC Enterprise IPs and VIP?

-DNAC Cluster IPs and VIP?

-DNAC Management IPs and VIP?

 

2. In an SDA environment, DNAC manages the network devices, so I'm wondering if I use Radius for external device authentications, will it impact DNAC manageability and/or operations in any way?

 

3. Are there any good guides to setup external authentication using RADIUS in SDA? Most of the guides use TACACS.

 

Thanks.

Labels:
0 Helpful
5 Replies 5

Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-08-2021 06:50 AM

Please take a look at the following resources as they will help you with your journey and your concerns:

Cisco DNA Center Security Best Practices Guide - Cisco

How To Cisco DNA Center ISE Integration - Cisco Community

Cisco SD-Access Fabric Resources - Cisco Community

HTH!

TH09
Level 1
Level 1

‎11-08-2021 09:30 AM

If we configure our environment to use AD for external authentication for device administration, we won't be locking out dnac from managing the devices right? So for example, as a primary source, we want to use our AD credentials to login to all our network devices and if AD fails, than as a secondary/backup option, use local credentials pushed by the dnac.

We want to use RADIUS for external authentication not TACACS.

0 Helpful

rasmus.elmholt
Level 7
Level 7
In response to TH09

‎11-09-2021 02:24 AM

What we have done is to create the same user locally on the device, as well as in the ISE for the user DNAC uses(called dnac-admin).

If the connection to ISE is down, the local user will be used when the DNAC logs in to a device. We don't use an AD user, as this could course the account to be locked by some reason.

0 Helpful

rasmus.elmholt
Level 7
Level 7

‎11-09-2021 02:17 AM

Hi,

We use Radius for network AAA and Tacacs for Device AAA including AAA/AD integration with the DNAC.

But I have tested it with pure RADIUS as well on client, network and DNAC AAA.

 

We have added the enterprise physical IP address of all three nodes as devices in ISE. And the DNAC uses those addresses to do the RADIUS/TACACS lookups.

 

We don't have a mangament interface, but depending on the routing configured on the DNAC you might have to use those addresses.

The DNAC uses the physical(not the VIP) IP for the port with routing towards the ISE nodes to do the RADIUS/TACACS lookup.

 

As for question 2:

We have a local user called dnac-admin local on all switches, and the same user is configured in ISE, and that way the DNAC can always login to the devices even if Network AAA is down. Or before the devices are onboarded.

 

TH09
Level 1
Level 1

‎11-10-2021 05:46 AM

Yes, it helped. We in our setup are using the management ports and I can see on ISE Live logs DNAC is connecting to the NAD using tty port but spamming the live logs, anyway to avoid or restrict showing so many logs?

0 Helpful
Customers Also Viewed These Support Documents