Solved: Re: ISE (Version 3.1P5) and DNAC (Version 2.2.3.6) Integration

zachartl · ‎02-06-2023

Hello,

We've attempted ISE Integration but are unable to see a DNAC "Client" within the Pxgrid Services ; Client Management ; Clients Page.

Pxgrid is enabled within the Primary and Secondary PANs within the General Settings Page and Profiling Settings Page. However the Device Admin Service is not enabled within these nodes (for what it's worth). The Device Admin Service is enabled on Two Other Appliances within the Deployment.

ERS is enabled (Please see enclosed).

We've created the Scalable Group DNAC within DNAC and we get a message within that Window that ISE has not been integrated with DNAC (Please see enclosed).

What is befuddling to us is we are able to successfully add The ISE PAN to DNAC and it appears normally within DNAC (Please see enclosed)

Both DNAC and ISE are utilizing CA Signed Certificates by our Internal CA

We can't seem to get a Pxgrid Client listed within ISE's Pxgrid Page and so we go partially integrated. Is there an up to date procedure about? I can not seem to locate a recent reference.

Thank you in advance,

Terry

hslai · ‎02-07-2023

@zachartl

Your Auth - Policy Servers in DNAC - Cisco ISE.PNG shows only T+ as protocol. For Group-based Access Control, we should pick RADIUS protocol. If you need also T+, then check both of them. Please update the that and re-enter the credentials of an ISE admin user used for this integration.

View solution in original post

ahollifield · ‎02-06-2023

According to https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/dnac_compatibility_matrix/index.html

2.2.3.6 shows as compatible with 3.1 Patch 5 so this should work. I would say TAC would be your next best bet.

Greg Gibbs · ‎02-06-2023

The first thing I would confirm is that the certificate template you are using for the ISE and DNAC pxGrid certificates is configured such that the Extended Key Usage (EKU) includes both the 'Client authentication' and 'Server Authentication' usages. This is not entirely common, so you typically need to create a new template for pxGrid.

See the following guide for an example:
http://www.network-node.com/blog/2015/12/24/server-2012-configuration-certificate-templates

The certificate used for DNAC would need to use this pxGrid certificate template and, in the ISE configuration, you would need to tick the 'Use Cisco DNA Center Certificate for pxGrid' option as per Step 5 in the DNAC Admin Guide.

If you already have the ISE connection configured, but you need to replace the DNAC cert with one that has both EKU usages, you will likely need to delete the ISE connection and reconfigure it.

If all else fails, you might need to engage TAC.

hslai · ‎02-07-2023

@zachartl

Your Auth - Policy Servers in DNAC - Cisco ISE.PNG shows only T+ as protocol. For Group-based Access Control, we should pick RADIUS protocol. If you need also T+, then check both of them. Please update the that and re-enter the credentials of an ISE admin user used for this integration.

zachartl · ‎02-13-2023

Hello,

I only had TACACS+ enabled, thinking RADIUS unnecessary, even though I have Two PSNs configured to manage RADIUS and Two PSNs configured to manage TACACS+. It did indeed matter. So I selected Both RADIUS and TACACS+ and for what it's worth, I moved EAP capability from the default self-signed certificate, to the pxGrid signed Certificate. The pxGrid Subscri ber id was then created and I was able to pick it up later in the ISE pxGrid Clients / Clients Management Pane. I enabled it there and we appear to be going okay. Thank you all for your input!