DNAC to ISE Integration - SSH

ryanbess · ‎01-22-2024

We've having some debate internally around when DNAC needs to log into ISE via SSH. In our environment ISE and DNAC are owned by 2 different teams thus we want to limit who knows what credential. What happened was because we learned that the SSH cred and the web cred are actually 2 different credentials (albeit the same username/password at time of install) they are subject to 2 different password policies. In this case the SSH credential expired and forced us to change the credential. In working with some of our Cisco reps, they stated they needed to be the same username/password and DNAC would use SSH. When we updated the SSH password we saw no impact on DNAC so we're wondering why we keep being told to keep them in sync. Hoping this forum can shed some light cause as best i can tell, and per the below, it only needs it at time of initial setup. What are others doing?

Per the below it is documented that DNAC to ISE via SSH is only for the initial config.

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html

see the section called "Cisco DNA Center Outbound to Device and Other Systems"

balaji.bandi · ‎01-22-2024

When you integrating with ISE and DNAC there are 3 parts (SSH is one of them)

when DNA Center (Catalyst center) and ISE are integrated intiallu there is an SSH session that established. That SSH session is used to share the certificates each other. So ISE shares the certificates to DNA Center. DNA Center shares its certificate with ISE.

check below guide :

https://community.cisco.com/t5/networking-knowledge-base/how-to-cisco-dna-center-ise-integration/ta-p/3896410

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Greg Gibbs · ‎01-22-2024

The use of SSH as part of the integration process was dropped after DNAC (Catalyst Center) version 2.2.1.0. The entire integration process is now done by the APIs.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_segmentation.html#concept_wvx_cx3_x2b

ryanbess · ‎01-22-2024

So there are 2 documents each published by cisco that are saying different things. The one you referenced (Last updated on August 4, 2020) says SSH isn't needed with DNAC 2.2.1.0. The article i referenced (last updated Jan 22, 2024) says it is needed. Which is correct?

Greg Gibbs · ‎01-22-2024

Unfortunately, the newer document is incorrect. I suspect when that was updated, the table was not corrected. I would suggest submitting feedback on that document to suggest it needs correcting.

ryanbess · ‎01-22-2024

Thanks. Will open a case with TAC and see what they say. So all DNAC needs is an account that has ERS Admin permissions?

Greg Gibbs · ‎01-22-2024

Yes, the ERS Admin account is used for the integration with Catalyst Center.

TAC may also refer you to the feedback link on the document. You can submit feedback on the document directly on the page.

andrew.butterworth · ‎10-22-2024

Does this mean we can create a local account on ISE that is just a member of the ERS Admin group for the integration, rather than using the local admin account?

What about external authentication, or is the ERS API just local authentication?

ryanbess · ‎10-22-2024

Yes that is the expectation.

andrew.butterworth · ‎10-23-2024

I created an admin user (ers-admin) on ISE that is just a member of the "ERS Admin" group and this doesn't work. I just get a message saying 'The Cisco ISE credentials provided are invalid'.

I can successfully login to the ERS admin web service from a PC (https://ise-server:9060/ers/sdk) using the ers-admin account I created.

DanielLarsson63527 · ‎10-28-2024

Hi,

Just wanted to give you a heads up that in the Catalyst Center release cisco has made changes to how the integrations will work for "ERS-admin" and the API-integrations. The documentation *clear* states that you need to be a "Super-Admin" in ISE for integration work, although lot of documentation (including ciscolive presentations) still wrongly states that you just need ERS-admin for it to work.

I have done countless integrations between DNAC/ISE and here is how it actuall works:

... PRE Catalst Center branding release:
-ISE will need SSH cli admin account
-ISE will need GUI super admin account (can be externally authenticated and mapped to AD-groups etc that is mapped to Super-Admin role)

...Catalyst Center release...
-ISE will still need local SSH admin-account to get a "successfull integration" (but it's not really used)
-ISE will need GUI Super Admin role access *but it has to be LOCALLY configured in ISE*

The main difference with GUI account is that cisco changed the way the ERS/API integrations work with ISE in the "catalyst center" relesae so that for some reason you cannot use an externally mapped Super-Admin role in ISE.

That said, you can also skip the SSH Admin CLI account and it will still work (but will generate some cosmetic errors here and there).

Yes you need the GUI local account to be Super Admin (everything else will *not* work regardless of what documentation states, and actually the admin guide for catalyst center also clearly states this!).

Bottom line is, i still see the "catalyst center" release as a form of Beta-release as of now. lot of cosmetic errors, in general vague documentation about how things work .... lot of things changed (example provision jobs, compliance checks etc) for the worse (15 click processes instead of 3 click processes)...

And everyone that has done proper service-account integrations are having issues with the catalyst center release due to what i mentioned above and it being undocumented! So, sadly... @andrew.butterworth you will need that Super Admin account local in ISE.

HTH
-Daniel

ConteAlmaviva · ‎02-21-2025

Sorry to bump this so many months on, but do you know if the requirement for an ISE superadmin account is still the case with CatC 2.3.7.6?