ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
401
Views
20
Helpful
5
Replies
Highlighted
Beginner

Which ISE node do I connect from DNAC for pxGrid?

Hi,  In a four node ISE setup (two PSN, and two MnT), which of them do I connect to from DNAC for integration?  Do I need to enable pxGrid on all nodes?  What cert requirements are necessary on the ISE side?

 

Thanks,

daniel

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: Which ISE node do I connect from DNAC for pxGrid?

Hi Cumminsdm,

 

as already meantioned for the beginning it is enough to add the Primary PAN. Make sure Port TCP/443 is opened between DNAC and ISE for PxGrid. 

ISE and DNAC will automatically exchange certificates. 

If primary PAN is successfully  added you can see all 4 ISE Nodes in the Design section. 

If you furthermore want external Authentification for DNAC Web-Login, soyou can login i.e. with your Domain User Account, you also want to add your PSNs under "Authentication and Policy Servers".

Here is a great Guide for TACACs+ (but will also work for RADIUS, if you ignore the TACACs+ specific options).


.:|:..:|:.Please rate helpful posts.:|:..:|:.

View solution in original post

5 REPLIES 5
Highlighted
VIP Advisor

Re: Which ISE node do I connect from DNAC for pxGrid?

Hi,

I assume the PAN roles are also on your MnT nodes? If so then pxgrid is probably best enabled on the PSN nodes. Bear in mind that normally pxgrid would be dedicated PSNs (that are not also performing dot1x/tacacs authentication).....it would depend on the current load of your PSN.

 

Here is a reference guide for ISE and DNAC integration.

 

The pxgrid certificate needs Server and Client EKU, reference guide to ISE pxgrid certificates here and here.

 

HTH

Highlighted
Contributor

Re: Which ISE node do I connect from DNAC for pxGrid?

As per Cisco documentation, you should integrate DNAC with ISE PAN primary node in a distributed deployment.

 

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-2/install/b_dnac_install_1_2/b_dnac_install_1_2_chapter_010.html

 

-Rate helpful posts-
Highlighted
Beginner

Re: Which ISE node do I connect from DNAC for pxGrid?

Hi Cumminsdm,

 

as already meantioned for the beginning it is enough to add the Primary PAN. Make sure Port TCP/443 is opened between DNAC and ISE for PxGrid. 

ISE and DNAC will automatically exchange certificates. 

If primary PAN is successfully  added you can see all 4 ISE Nodes in the Design section. 

If you furthermore want external Authentification for DNAC Web-Login, soyou can login i.e. with your Domain User Account, you also want to add your PSNs under "Authentication and Policy Servers".

Here is a great Guide for TACACs+ (but will also work for RADIUS, if you ignore the TACACs+ specific options).


.:|:..:|:.Please rate helpful posts.:|:..:|:.

View solution in original post

Highlighted
Beginner

Re: Which ISE node do I connect from DNAC for pxGrid?

Thank you!  This is a very helpful depiction.  However, does anyone know if it is necessary to turn on the pxGrid function on the PSNs, or will the admin node(s) adequately parse the necessary data feed?

Highlighted
Beginner

Re: Which ISE node do I connect from DNAC for pxGrid?

Hi cumminsdm,

just have a look at the installation guide you can enable pxGrid on the PAN but you do not have to. "You can enable pxGrid on any of the other Cisco ISE nodes in your distributed deployment".

In my deployments I enable pxGrid just on the PANs and not on the PSN (if the customer have a multi node deployment).


.:|:..:|:.Please rate helpful posts.:|:..:|:.
Content for Community-Ad
This widget could not be displayed.