Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3642
Views
5
Helpful
8
Replies

ISE DNAC PXGRID requirements

mpeeters
Cisco Employee
Cisco Employee

‎03-29-2019 10:23 AM - edited ‎02-21-2020 11:04 AM


If a customer is planning to use ISE in their environment as a TACACS+ server, and DNAC for assurance and image management. Will they need  pxgrid  and a pxgrid node to support that functionality? 

1 person had this problem
0 Helpful
8 Replies 8

hslai
Cisco Employee
Cisco Employee

‎03-29-2019 03:12 PM

The pxGrid services are not required, if customers using ISE as RADIUS/T+ servers but not using its integration with DNAC for the work flows of group-based policies or related, and if not configuring Assurance to collect data from ISE.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to hslai

‎03-30-2019 08:46 AM

Adding to hslai's comment, even if you need pxgrid functionality based on the use case (which is nice to have with assurance), this could be collocated on an existing node. Depends on the design and scale, you might not need a dedicated pxgrid node is all.
0 Helpful

mpeeters
Cisco Employee
Cisco Employee
In response to Damien Miller

‎03-30-2019 09:13 AM

I am not clear as to what is the use case for any information dna assurance would gather from ISE via PXGRID.  Would you provide some context of what would be lost if there was no ise dna assurance pxgrid linkage. 

0 Helpful

mpeeters
Cisco Employee
Cisco Employee
In response to mpeeters

‎03-30-2019 09:16 AM

I understand that there is a pxgrid exchange of data for Trustsec aspects. What would be the benefits of pxgrid between dnac and ise if trustsec is in play.
0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to mpeeters

‎03-30-2019 09:52 AM

I've never played with assurance without ISE integration so I can't be 100% on what would be missing. It was my understanding thay ISE shares user and machine information it learns via pxgrid integration. Seeing as there are other ways to get user information from switches and WLC's maybe DNA can pull this through alternate means. I've seen machine OS in assurance which you wouldn't get from anywhere but ISE.

For now I would plan on integrating with ISE if it's authenticsting users in the environment, it takes little time. If someone knows different I'm keen on hearing it.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to mpeeters

‎03-30-2019 02:37 PM

I believe you are correct that the pxGrid use for DNAC is on scalable groups. DNAC also uses ERS to get data from ISE.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to mpeeters

‎04-01-2019 04:52 AM

In my opinion, the main benefit of integrating dnac & ise via pxgrid is the automation aspect in regard to network policy and the ability to centrally manage it all via dnac. Integrating the two will allow you to easily manage your CTS configuration including access contracts, SGTs, host on-boarding, & ip access control policies (L4 SGACLs). All of this information will be shared/imported to ISE using the pxgrid connection. As mentioned by others it is fairly easy and straight forward to configure. I agree with @Damien.Miller, if you are authenticating users into the environment I would connect the two platforms. I do not see/know of benefits from keeping the two separate.

0 Helpful

Aravind Ravichandran
Level 3
Level 3

‎03-31-2019 11:40 PM

If a customer wants to use ISE as TACACS+ server, DNA-c & ISE integration will automate the Network device on-boarding(Addition) in ISE with shared secret via ERS services during the discovery phase.

 

Please refer to this document, if the customer needs only Assurance. ISE integration with DNA Assurance is optional. However, with ISE integration, Assurance gets usernames of the clients.

 

-Aravind

-Aravind
Customers Also Viewed These Support Documents