cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1416
Views
11
Helpful
5
Replies

DNA center integrated with 2 ISE deployments

Hello,

 

In an ongoing project our customer needs to integrate the DNA deployment with 2 separate ISE deployments : one is specific to the guest wireless use case.

 

Is it possible to integrate DNA with two ISE deployments ? If so, how can we configure DNA to push devices and SGTs only on one ISE, and push different ISE configurations to devices based on use cases (for instance push the "regular" ISE deployments to switches, but push both to the WLC, and then on the WLC configure most SSIDs with the primary deployment and use the secondary for the guest) ?

 

If this is not supported by DNA, could it be done with templates pushed from DNA ?

 

Thanks,

Have a nice day.

5 Replies 5

Dan Rowe
Cisco Employee
Cisco Employee

You cannot integrate DNA Center with multiple ISE instances. However, on DNAC you can integrate the ISE instance as an ISE server then add the second ISE instance as a traditional AAA server.

Thanks, and do we have a way to tell DNAC for which use case to use which server ?

 

Hi Tom, at this moment, when customers want to use a second ISE cluster specifically for fabric wireless guest access, they manually change the RADIUS servers on the guest SSID in the fabric WLC to point to the other/second guest ISE cluster. At this precise moment the push of a second ISE cluster PSN IPs is not automated by DNAC. The manual addition of PSN RADIUS servers to the fabric wireless guest SSID is considered an SDA design exception since you are bypassing the DNAC automation. Please engage with your Cisco SE/AM/CX contact to get the exception approved. In future we will be automating it through DNAC, but for now it's a manual process. Best regards, Jerome

Hello

any hints on have the subject been improved since 2020?

In the DNAC UI we can set AAA servers per SSID, this is true for both Fabric-Enabled Wireless and non-Fabric wireless. These "extra" AAA servers are not integrated to DNAC however, so if there's SGACLs and Group-Based Policy that will need to continue to reside on the ISE cluster integrated to DNAC.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco