Solved: Re: On which ise node enable pxgrid ?

REJR77 · ‎04-21-2020

Hello

In a 2 nodes ise deployment where should I enable pxgrid to use with DNAC?

Only on the primary PAN or on both nodes?

If in both nodes does it make sense to have a single certificate for both ?

Thank you

Mike.Cifelli · ‎04-21-2020

In a 2 nodes ise deployment where should I enable pxgrid to use with DNAC?
Only on the primary PAN or on both nodes?
IMO you should enable it on both. Configure your nodes for PAN failover. Once this is done, within DNAC when you add ISE under settings->Authentication and policy servers connect to whichever node is the primary. Once DNAC subscribes (manage connections/settings in ISE: Administration->PxGrid Services) under system 360 you should see one of your nodes as PxGrid active and the other as secondary. This will ensure the connection to ISE remains. Note that in the event of the Primary PAN going down you can always re-promote it to primary if you wish once failover has occurred. Something else to note from my experiences is that I have seen the PxGrid connection show as offline (down) between ISE and DNAC for some time and this will not affect your fabric until you need to make GBAC changes. It will only begin affecting you if you rely on ISE (not DNAC) as the main GBAC driver. One example would be: if you create a new SGT for an IP Pool in ISE, and then go to assign it in DNAC to a VN. The SGT will not populate due to no PxGrid connection. Also, as of later DNAC versions you can actually rely on DNAC to manage GBAC and switch ISE to read only.
If in both nodes does it make sense to have a single certificate for both ?
Yes. Unless you feel it is necessary to utilize a wildcard scenario.
HTH!

View solution in original post

Mike.Cifelli · ‎04-22-2020

AFAIK you will want both EKUs for both ISE and DNAC. If you take a look in ISE at the default pxGrid_Certificate_Template it has both enabled. HTH!

View solution in original post

Mike.Cifelli · ‎04-21-2020

In a 2 nodes ise deployment where should I enable pxgrid to use with DNAC?
Only on the primary PAN or on both nodes?
IMO you should enable it on both. Configure your nodes for PAN failover. Once this is done, within DNAC when you add ISE under settings->Authentication and policy servers connect to whichever node is the primary. Once DNAC subscribes (manage connections/settings in ISE: Administration->PxGrid Services) under system 360 you should see one of your nodes as PxGrid active and the other as secondary. This will ensure the connection to ISE remains. Note that in the event of the Primary PAN going down you can always re-promote it to primary if you wish once failover has occurred. Something else to note from my experiences is that I have seen the PxGrid connection show as offline (down) between ISE and DNAC for some time and this will not affect your fabric until you need to make GBAC changes. It will only begin affecting you if you rely on ISE (not DNAC) as the main GBAC driver. One example would be: if you create a new SGT for an IP Pool in ISE, and then go to assign it in DNAC to a VN. The SGT will not populate due to no PxGrid connection. Also, as of later DNAC versions you can actually rely on DNAC to manage GBAC and switch ISE to read only.
If in both nodes does it make sense to have a single certificate for both ?
Yes. Unless you feel it is necessary to utilize a wildcard scenario.
HTH!

REJR77 · ‎04-21-2020

Hi Mike,
Thanks for clarification.
PxGrid certificates should also be signed with Client Auth and Server Auth EKU for both ISE and DNAC or only for ISE?

Mike.Cifelli · ‎04-22-2020

AFAIK you will want both EKUs for both ISE and DNAC. If you take a look in ISE at the default pxGrid_Certificate_Template it has both enabled. HTH!