Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
151
Views
0
Helpful
1
Replies

Trouble adding ISE server in Network Settings

vv0bbLeS
Level 3
Level 3

ā€Ž12-19-2025 08:32 AM - edited ā€Ž12-19-2025 08:42 AM

Hello all,

I'm doing the CCIE Practice Labs so I can get practice with SDA. One of the first things I'm doing in SDA is the integration of DNAC with ISE (in the lab, the DNAC is version 2.3.5). The integration works fine, and during the integration I use the Advanced Settings to check both the Radius and TACACS checkboxes, since I want this ISE server to be used for both endpoint authentication and switch authentication.

After the DNAC/ISE integration I do the Policy migration, which also works great.

So at this point, in System > Settings > External Services > Authentication and Policy Servers, I have an ISE server defined there, with an IP address and Protocol = RADIUS_TACACS and Type = ISE and Status = ACTIVE. So all seems well.

I then go to Design > Network Settings to add a AAA server (i.e. Add Servers > AAA) to the Global area. I check both the Network and Client/Endpoint checkboxes, and then I start configuring the Network section first.

  1. Under the Network > Servers heading, I click the ISE radio button since the server I added above is of Type = ISE, and I select my ISE IP address from the drop-down menu.
  2. Under the Network > Protocol heading, I click the TACACS radio button since I want my network authentication to use TACACS. HOWEVER, when I click the IP Address (Primary) drop-down menu to select my ISE IP address, there are no IP addresses available to select. If I change the protocol to RADIUS instead, I do get an IP address available in the drop-down, but I don't want to use RADIUS, I want to use TACACS for this Network part. (Additional info - underneath the IP address (Primary) drop-down box, it does have text that says (Only device administration nodes) ).

I'm confused by the end of Step 2 above, where there are no IP addresses available in the IP Address (Primary) drop-down menu when I try to add a AAA server and use TACACS for the Network section. What do I need to do to get an IP address listed in this drop-down for selection?

  • Looking at the DNAC 2.3.5 guide, it says:

    • Step 6

      Choose the Servers for authentication and authorization: ISE or AAA.

      • If you choose ISE, configure the following:

        • From the Network drop-down list, choose the IP address of the Cisco ISE server. The Network drop-down list contains all the IP addresses of the Cisco ISE servers that are registered in System Settings on the Cisco DNA Center home page. Selecting a Cisco ISE IP populates the primary and additional IP address drop-down lists with Policy Service Node (PSN) IP addresses for the selected Cisco ISE. You can either enter an IP address for the AAA server or choose the PSN IP address from the IP Address (Primary) and IP Address (Additional) drop-down lists.

  •  
  • However, in my case, Selecting the Cisco ISE IP in the Network drop-down menu does not populate anything in the IP Address (Primary) drop-down menu.
0xD2A6762E
Labels:
0 Helpful
1 Reply 1

Andrii Oliinyk
VIP
VIP

ā€Ž12-19-2025 08:51 AM

key point there is "ISE or AAA". looking at your move "to add a AAA server" i guess you missteered somewhere.
bc with 1st stages of integration u made DNAC must be communicated by PAN with configured policy servers u must choose as such. I didnt touch SDA for about year so i have to look in live deployment to steer u in proper direction. w/o promises to be asap

0 Helpful
Customers Also Viewed These Support Documents