ISE and DNAC integration.

bakaholic39 · ‎03-12-2024

Hi all,

I have ISE 3.1 integrated with DNAC 2.3.5.5 and I would like to know about the certificates that they exchange.

In ISE's trusted certificates, are there any DNAC's certificates to trust? And in DNAC's trust pool, are there any ISE's certificates to trust? If these certificates are about to expire, do I need to renew them, or are they automatically renewed by themselves?

Any suggestions about the certificate for integration between these two products?

Thank you.

Arne Bier · ‎03-12-2024

I did some lab work around this point recently, because I could not find a clear answer in the documentation. If this is explained somewhere, then I would like to have the web link.

In DNAC there are two types of certs

DNAC System Certificates
- Valid for 1 year
- Automatically renew themselves
DNAC Root CA Certificate
- Valid for 5 years on systems built prior to DNAC 2.2
- Valid for 15 years on systems built fresh from DNAC 2.2
- Automatically renews itself.
- Automatically re-provisions all network devices (IOS-XE) after a DNAC Root CA renewal
- Network devices request a certificate from DNAC via SCEP – certificate is valid for 2 years and automatic renewal is initiated by the device

When you integrate DNAC with ISE, DNAC will need to trust the ISE Admin certificate

ISE Admin certificate is used to establish trust between ISE and DNAC – this certificate is not auto-renewed. In production this certificate is typically valid for more than 10 years