11-01-2024 11:21 AM
Hi
Can someone please tell me
a. how to add a PSN to Network settings in DNAC I dont see the PSN in the options we do have a primary PSN but want to add a secondary.
b.what Cert does ISE use to intergrate with DNAC e.g pxgrid nodes, psn nodes, pan nodes
Thanks
Solved! Go to Solution.
11-02-2024 04:34 AM
11-01-2024 11:43 AM
a. Design/Network settings/Servers
b. the one u assign to PxGrid function in the ISE Administration/Certficates/System Certificates
11-02-2024 12:48 AM - edited 11-02-2024 12:49 AM
a. Design/Network settings/Servers
Yes but I dont see the PSN in the options, its a new PSN build I upgraded it
b. the one u assign to PxGrid function in the ISE Administration/Certficates/System Certificates
I dont understand what you are saying here ??
Thanks
11-02-2024 04:34 AM
1.
2. i mean this:
11-02-2024 06:10 AM - edited 11-02-2024 06:11 AM
@Andrii Oliinyk I know how to add a Server in the settings the issues I have is in the dropdown for Secondary PSN the PSN IP Address isnt there. I have upgraded the PSN but the IP has stayed the same, How do I make the PSN visible to DNAC.?
I think it might have benn deleted it accident from Network settings
Thanks
11-02-2024 06:53 AM
u have fields for PSNs or not?
if u have then just type IPs there...
11-03-2024 10:06 AM
So if I want to add a PSN Server to DNAC whats the shared secret, Is it the ssh account I use for ISE ??
Thanks
11-04-2024 12:08 AM
This PSK is essentially key being used by NADs to RADIUS with PSNs.
Similar is for TACACS. Pls be encouraged to read documents suggested in this thread.
11-01-2024 11:44 AM
@N3om refer to the Cisco guide with instructions how to integrate DNAC with ISE - https://community.cisco.com/t5/networking-knowledge-base/how-to-cisco-dna-center-ise-integration/ta-p/3896410
pxGrid is used to exchange date between ISE and DNAC, so the pxGrid certificate is used. FYI, you need to ensure the pxGrid certificate has the Server and Client Auth EKU.
11-02-2024 04:38 AM
check the requirement and nice guide available here :
you have to enable single node pxgrid enable.
11-02-2024 03:20 AM
Hi
I have been looking at the Cisco ISE upgrade journey doc for 3.3, I do not see any mention of what happens during the ISE upgrade to the ISE-DNAC Intergration, does the Intergration change during the upgrade?.
Also if I use the split upgrade for ISE I will upgrade first DC in this order SEC-PAN first and then one PSN and then 1 pxgrid node.
what do I do about the Intergration now when one DC is on 3.3 and the other DC is still on 3.0.??
Thanks
11-02-2024 04:04 AM
Integration DNAC-ISE(ERS&PxGrid) doesnt change, but states of integration will surely reflect states of xPANs & xPxGrids. DNAC uses only primary nodes for data exchange. secondary nodes are just periodically polled for liveness.
No idea how it works with split upgrade.
i prefer backup & restore with isolation of migrated part of ISE-cube from production (meaning deregistering it from both old ISE deployment & DNAC). Many works&precautions of course, but it's most reliable method i see which wouldnt bring DNAC-ISE integration in the inconsistent state. Again, it's assuming the DNAC doesnt show up with integration-relevant bugs which it's full of. Otherwise any different from backup&restore ISE upgrade methods would be under greater risk of failure from DNAC-ISE integration pov.
11-02-2024 06:41 AM - edited 11-02-2024 06:53 AM
@Andrii Oliinyk (Dnac uses only primary nodes for data exchange. secondary nodes are just periodically polled for liveness)
So say as an example if I had 2 PAN-MNT nodes 2 PSNs 2PXGRID Nodes are you saying that DNAC only talks to PRI PAN for information and not the other nodes, If so whats the point of PXGRID Nodes?
Also on the subject of ISE upgrade, if the ISE Node IPS were staying the same wouldnt the Intergration just continue anyways as nodes wee upgraded.??
11-02-2024 07:02 AM
1. ERS integration toward ISE/xPANs ; bc sPAN doesnt serve ERS until promoted to primary, why would DNAC make ERS calls to it?PxGrid is toward ISE/xPxGrids for thePxGrid topic. & even though from ISE perspective all PxGrid personas are Active, DNAC marks 2nd PxGrid as Standby. So i assume it communicates on the PxGrid topic in the same manner as it does with ERS.
2. ISE IPs stay unchanged. & it's one of precautions u have to consider to not mix 2 cubes concurrently for both AAA & integrations with DNAC.
cheers
 
11-02-2024 07:13 AM
@Andrii Oliinyk  Ah ok I see what you mean as I would have nodes in the new deployment and nodes still in the old deployment so DNAC wouldnt like this ???
(ISE IPs stay unchanged. & it's one of precautions u have to consider to not mix 2 cubes concurrently for both AAA & integrations with DNAC.)
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide