Cisco ISE Configuration for Cisco DNA Center
If your network uses Cisco ISE for user authentication, you can configure Cisco DNA Center for Cisco ISE integration. This enables you to see more information about wired clients, such as the username and operating system.
Beginning with Cisco DNA Center Release 1.3, Cisco ISE configuration is centralized within NCP (Network Control Platform). This enables you to configure Cisco ISE at one GUI location. The workflow for configuring Cisco ISE is as follows:
- Enter the Cisco ISE configuration details in NCP ( > System Settings > Settings > Authentication and Policy Servers).
- After the Cisco ISE server is successfully added, NCP establishes a connection with NDP (Network Data Platform) and sends the details of the pxGrid nodes, keystore, and truststore files.
- NDP uses the configuration received from NCP to establish a pxGrid session.
- NCP automatically detects pxGrid node failovers, persona moves, and communicates it to NDP.
- If there are ISE deployment changes, NDP starts a new pxGrid session with a new pxGrid ACTIVE node.
Configure Cisco DNA Center for Cisco ISE Integration
Use this procedure to configure Cisco DNA Center for Cisco ISE integration.
Before you begin
- Enable Cisco ISE pxGrid services.
- Make sure the CLI and UI user accounts for Cisco ISE have the same username and password.
- Make sure the Cisco DNA Center version is 1.3 or later.
Note | Cisco DNA Center uses Cisco ISE Internal certificate authority (CA)-signed certificates for integration with Assurance. To use a CA-signed certificate: The Cisco DNA Center pxGrid client certificate must have “client authentication” in its extended key usage (EKU) extension. Cisco ISE must be the issuer of the certificate in the truststore.jks file. |
Procedure
Step 1 | From the Cisco DNA Center home page, choose > System Settings > Data Platform > Collectors. The Collectors window appears. |
Step 2 | Click COLLECTOR-ISE. The COLLECTOR-ISE window appears. Note The COLLECTOR-ISE window is read-only mode. |
Step 3 | In the Current Configurations tab, click Click to configure. The Authentication and Policy Servers window appears. |
Step 4 | To configure a Cisco ISE server, see Configure Authentication and Policy Servers. Attention If a configuration exists for the ISE collector, but Cisco ISE is not successfully configured in the Authentication and Policy Servers window, a banner appears. The banner prompts the Cisco DNA Center administrator to add Cisco ISE configuration in the Authentication and Policy Servers window. |
Step 5 | (Optional) To anonymize (scramble) personal identifiable data, such as user ID and device host name, do the following: Click the icon, and then choose System Settings > Settings. Click Anonymize Data. The Anonymize Data window appears. Click Enable Anonymization. Note Once you enable anonymization, you can only search for the device using non-anonymized information such as the MAC address, IP address, etc. If anonymization was enabled in Cisco DNA Center Release 1.2.10 and earlier, the setting is kept when upgrading to Cisco DNA Center Release 1.3. Caution Make sure that you enable Anonymization before you run Discovery. If you anonymize the data after you run Discovery, the new data coming into the system will get anonymized but the existing data will not be anonymized. |
Configure Authentication and Policy Servers
Cisco DNA Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.
Before you begin
- If you are using Cisco ISE to perform both policy and AAA functions, make sure that Cisco DNA Center and Cisco ISE are integrated, as described in the Cisco Digital Network Architecture Center Installation Guide.
-
If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do the following:
- Register Cisco DNA Center with the AAA server, including defining the shared secret on both the AAA server and Cisco DNA Center.
- Define an attribute name for Cisco DNA Center on the AAA server.
- For a Cisco DNA Center multihost cluster configuration, define all individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.
-
Before you configure Cisco ISE, confirm that:
- You deployed Cisco ISE version 2.3 or later in your network. If you have a multihost Cisco ISE deployment, integrate with the Cisco ISE admin node.
- SSH is enabled on the Cisco ISE node.
- The pxGrid service is enabled on the Cisco ISE host with which you plan to integrate Cisco DNA Center, and the ERS service is enabled for read/write operations.
- The Cisco ISE GUI and Cisco ISE shell username and passwords are the same.
- There is no proxy configured between Cisco DNA Center and Cisco ISE. If a proxy server is configured on Cisco ISE, the Cisco DNA Center IP address must bypass that proxy server.
- There is no firewall between Cisco DNA Center and Cisco ISE. If there is a firewall, open the communication between Cisco DNA Center and Cisco ISE.
- A ping between Cisco DNA Center and Cisco ISE succeeds with both the IP address and hostname.
- The Cisco ISE admin node certificate contains the Cisco ISE IP address or FQDN in either the certificate subject name or the SAN.
- If a third-party certificate is used, the certificate includes all IP addresses in the SAN field.
- The pxGrid approval is set for automatic or manual approval in Cisco ISE to enable the pxGrid connection in Cisco DNA Center.