Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
0
Helpful
2
Replies

ISE integration with cisco DNA

Go to solution
Amr Ali Mohamed
Level 1
Level 1

‎05-18-2024 02:45 PM

Dears,

I need to understand which certificates are used between ISE and DNA, and if I do not have an internal CA how I can use the signed certificate and the DNA 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-19-2024 02:09 AM

ISE and DNAC are integrated is via ERS and pxGrid command practice, if you do not have PKI environment, ISE can act as CA

below document ISE and DNAC integration.

https://community.cisco.com/t5/networking-knowledge-base/how-to-cisco-dna-center-ise-integration/ta-p/3896410

ISE can be as CA :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-30/217161-ca-service-and-est-service-on-ise.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-19-2024 02:09 AM

ISE and DNAC are integrated is via ERS and pxGrid command practice, if you do not have PKI environment, ISE can act as CA

below document ISE and DNAC integration.

https://community.cisco.com/t5/networking-knowledge-base/how-to-cisco-dna-center-ise-integration/ta-p/3896410

ISE can be as CA :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-30/217161-ca-service-and-est-service-on-ise.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎05-19-2024 03:18 PM

@Amr Ali Mohamed - When reading up on DNAC and certificates, remember that in DNAC, there is the certificate that is used by the DNAC web UI (web server) and then there is the concept of the DNAC CA, which is DNAC's internal CA that issues certificates to the devices that you add into the Inventory. The DNAC/ISE integration is quite easy these days, because DNAC will do all the hard work for you, via REST API calls to ISE. There are also differences in how many years a cert is valid, based on what version of DNAC you are using, and even, what version you started on and upgraded to. It's one thing getting a cert installed, but then you have to keep an eye on the End Date of those certs, and whether or not you are responsible for updating them, or whether it's automatic.  I have a personal preference for making these internal system certs (ISE/DNAC, DNAC/Devices) last as long as the software will allow you, to avoid this hassle of manual updates. It's common for public facing certs to be valid for 90 days or 365 days, but for internal facing systems like Cisco products, IMHO, this causes more problems than it's worth.

0 Helpful
Customers Also Viewed These Support Documents