Solved: Integrating Cisco ISE 3.1 with DNA centre.

adam.james · ‎08-03-2022

Hi All.

Can any one help with an error message I'm getting on DNAC when trying to integrate ISE.

The error is as followed:-

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: critical policy qualifiers present in certificate

I have 4 ISE nodes prim and secondary PANs all running the latest patches and all with CRS's added to them including the pxgrid certificate. Also I have ensure that ERS is enabled and ssh. Both DNA and ISE can ping each other. One to point which I'm confused over, is documents advise having the same username and passwords on both devices. Why is this? and should I be adding DNAC and a user in the Admin user settings?

Is anyone able to explain exactly what this error message means and what action exactly I need to take to fix this. Just as an FYI - ISE and DNA is new to our company and integration has never worked.

Many Thanks

Adam

Arne Bier · ‎08-03-2022

Hi @adam.james

There is no need to add DNAC as an admin user into ISE. The process works as follows:

When you tell DNAC to integrate with ISE, DNAC will SSH to the IP address of ISE that you specified. It must be the ISE CLI admin account details. And make sure that the same username (e.g. let's assume you used 'admin') also works on the ISE PAN Web UI login as a local user. Just check that you can SSH to PAN CLI, and Login to PAN UI using the same username/password that you provide during DNAC integration dialogue.

The ERS needs to be enabled in ISE - but you have done that already.

The Shared Secret is the common RADIUS/TACACS+ shared secret that DNAC will push to devices and ISE once the system is integrated.

I got this working the other day with ISE 3.1 p3 and DNAC 2.2.3.3 - worked like a charm. Which was a surprise to me, since in the past it's always been an uphill battle. BTW, the DNAC is still using self-signed cert - and ISE pxGrid cert is also self-signed (default). I have no appetite to mess with that delicate setup ...

View solution in original post

ahollifield · ‎08-03-2022

Did you already validate that your DNAC and ISE versions are compatible? https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/dnac_compatibility_matrix/index.html

adam.james · ‎08-06-2022

Hi. I'm currently on vacation. I actually didn't think to check compatibility, I just assume! Will check when I'm back.
Thanks

Arne Bier · ‎08-03-2022

Hi @adam.james

There is no need to add DNAC as an admin user into ISE. The process works as follows:

When you tell DNAC to integrate with ISE, DNAC will SSH to the IP address of ISE that you specified. It must be the ISE CLI admin account details. And make sure that the same username (e.g. let's assume you used 'admin') also works on the ISE PAN Web UI login as a local user. Just check that you can SSH to PAN CLI, and Login to PAN UI using the same username/password that you provide during DNAC integration dialogue.

The ERS needs to be enabled in ISE - but you have done that already.

The Shared Secret is the common RADIUS/TACACS+ shared secret that DNAC will push to devices and ISE once the system is integrated.

I got this working the other day with ISE 3.1 p3 and DNAC 2.2.3.3 - worked like a charm. Which was a surprise to me, since in the past it's always been an uphill battle. BTW, the DNAC is still using self-signed cert - and ISE pxGrid cert is also self-signed (default). I have no appetite to mess with that delicate setup ...

adam.james · ‎08-06-2022

Hi Arne. Many thanks for the reply. I'm currently on vacation, I need it after the ISE set I've been trying to do lol.
I will check when back in the office.
Once again thanks.
Adam

Andrii Oliinyk · ‎05-21-2024

Arne

since 2.2.2.b at least ISE CLI creds are not needed anymore. only admin configured in ISE UI is used for REST API.