cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4492
Views
21
Helpful
6
Replies

Cisco DNA center integration with Aruba wireless (AP and controllers) and Aruba Clearpass(NAC)

Asfandyar70754
Level 1
Level 1

Hello everyone

Does Cisco DNA center integrates with Aruba WLC/APs and Aruba Clearpass ?

I have seen that ISE can be integrated with Aruba WLC, but is it possible to use Aruba Clearpass instead of Cisco ISE in Cisco DNAC?

I am studying Cisco SD Access and I was curious if it is possible to use Aruba WLC & Clearpass with Cisco DNAC?

6 Replies 6

inderdeeps
Level 4
Level 4

You can integrate your WLC's with DNAC as third party device but Aruba Clearpass can't be integrated with Cisco DNAC as a NAC solution to authenticate devices within Fabric. Although basic TACACS or RADIUS feature can be used thats what I saw in most of the cases.

Regards

Inderdeep Singh

www.thenetworkdna.com 

willwetherman
Spotlight
Spotlight

Just to add to this discussion,

 

You can add a non-ISE/third-party RADIUS server to DNAC for authenticating administrative access to DNAC itself and managed network devices, as well as for endpoint authentication/authorisation in SD-Access. For SD-Access, you can assign SGTs to endpoints that connect to the Fabric Edge nodes by returning a Cisco-AVPair directly from the third-party RADIUS server, however ISE is still needed for Group-Based policy. See below for further details. 

 

https://community.cisco.com/t5/networking-documents/how-to-use-group-based-policies-with-3rd-party-radius-using/ta-p/3930041 

 

You can also authenticate endpoints using the third-party RADIUS server alone without ISE, however you will lose the ability to implement micro-segmentation (TrustSec) which is one of the primary advantages/foundational elements of the SD-Access solution. You also lose other features such as contextual data of authenticated endpoints in DNA Center Assurance.

 

I'm not sure if an SD-Access deployment without ISE and with just a third-party RADIUS server is officially TAC supported, however it will technically work. I've tested this using Microsoft NPS and FreeRadius without any issues retuning both VLAN IDs and SGTs in policy results.

Hi

 

You can use a clear pass for sure if you are not using SDA.

But if you want to use SDA with micro segmentation why should you keep your old radius server?

In that case you need to maintain 2 separate boxes then are capable to do the same. But it is possible.

If you want to use SDA then you can't integrate your WIFI into the SDA fabric. There you need to do over the top wireless and from this point you loose all the functionalities of a SDA fabric.

In the feature local switching/flexconnect will be supported. But for the moment it isn't.

 

 

Kind regards,

Kristoff

Hello Kristof

 

So I have read that you can integrate ISE with Aruba's controller/AP, so is it possible to use combination of Cisco DNAC, ISE and Aruba's controller/AP?

Is it going to be as good as DNAC with Cisco WLC or there are going to limitations?

Hi Asfandyar,

 

You can use ISE in combination with Aruba WLC/AP's for sure, as long that you send the correct radius attributes to the WLC/AP's it will work. This information is something you will find probably in the configuration guide of the Aruba WLC's.

The combination DNA-C/ISE/Aruba WLC/AP's will be limited if you compare it with the full Cisco Solution.

This is because DNA-C does not support Aruba WLC/AP's out of the box like it does with Cisco WLC/AP's.

 

So the things that you will loose is the assurance and automation part. If you write a SDK for the Aruba WLC/AP's for DNAC you will probably have some more info in DNA-C but this is something Cisco is not providing for the moment.

So to conclude if you want to have the full benefit of DNA-C you need to go the full Cisco stack.

DNA-C/ISE/switches/wireless.

 

Kind regards,

Kristoff

Hello Will

 

So I have read that you can integrate ISE with Aruba's controller/AP, so is it possible to use combination of Cisco DNAC, ISE and Aruba's controller/AP?

Is it going to be as good as DNAC with Cisco WLC or there are going to limitations?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: