Cisco ISE Configuration for Cisco DNA Center

Posted on by Admin

Related Post

If your network uses Cisco ISE for user authentication, you can configure Cisco DNA Center for Cisco ISE integration. This enables you to see more information about wired clients, such as the username and operating system.

Beginning with Cisco DNA Center Release 1.3, Cisco ISE configuration is centralized within NCP (Network Control Platform). This enables you to configure Cisco ISE at one GUI location. The workflow for configuring Cisco ISE is as follows:

  1. Enter the Cisco ISE configuration details in NCP ( > System Settings > Settings > Authentication and Policy Servers).
  2. After the Cisco ISE server is successfully added, NCP establishes a connection with NDP (Network Data Platform) and sends the details of the pxGrid nodes, keystore, and truststore files.
  3. NDP uses the configuration received from NCP to establish a pxGrid session.
  4. NCP automatically detects pxGrid node failovers, persona moves, and communicates it to NDP.
  5. If there are ISE deployment changes, NDP starts a new pxGrid session with a new pxGrid ACTIVE node.

Configure Cisco DNA Center for Cisco ISE Integration

Use this procedure to configure Cisco DNA Center for Cisco ISE integration.

Before you begin

  • Enable Cisco ISE pxGrid services.
  • Make sure the CLI and UI user accounts for Cisco ISE have the same username and password.
  • Make sure the Cisco DNA Center version is 1.3 or later.
Note Cisco DNA Center uses Cisco ISE Internal certificate authority (CA)-signed certificates for integration with Assurance. To use a CA-signed certificate: The Cisco DNA Center pxGrid client certificate must have “client authentication” in its extended key usage (EKU) extension. Cisco ISE must be the issuer of the certificate in the truststore.jks file.

Procedure

Step 1 From the Cisco DNA Center home page, choose > System Settings > Data Platform > Collectors. The Collectors window appears.
Step 2 Click COLLECTOR-ISE. The COLLECTOR-ISE window appears. Note  The COLLECTOR-ISE window is read-only mode.
Step 3 In the Current Configurations tab, click Click to configure. The Authentication and Policy Servers window appears.
Step 4 To configure a Cisco ISE server, see Configure Authentication and Policy Servers. Attention  If a configuration exists for the ISE collector, but Cisco ISE is not successfully configured in the Authentication and Policy Servers window, a banner appears. The banner prompts the Cisco DNA Center administrator to add Cisco ISE configuration in the Authentication and Policy Servers window.
Step 5 (Optional) To anonymize (scramble) personal identifiable data, such as user ID and device host name, do the following: Click the icon, and then choose System Settings > Settings. Click Anonymize Data. The Anonymize Data window appears. Click Enable Anonymization. Note  Once you enable anonymization, you can only search for the device using non-anonymized information such as the MAC address, IP address, etc. If anonymization was enabled in Cisco DNA Center Release 1.2.10 and earlier, the setting is kept when upgrading to Cisco DNA Center Release 1.3. Caution  Make sure that you enable Anonymization before you run Discovery. If you anonymize the data after you run Discovery, the new data coming into the system will get anonymized but the existing data will not be anonymized.

Configure Authentication and Policy Servers

Cisco DNA Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.

Before you begin

  • If you are using Cisco ISE to perform both policy and AAA functions, make sure that Cisco DNA Center and Cisco ISE are integrated, as described in the Cisco Digital Network Architecture Center Installation Guide.
  • If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do the following:
    • Register Cisco DNA Center with the AAA server, including defining the shared secret on both the AAA server and Cisco DNA Center.
    • Define an attribute name for Cisco DNA Center on the AAA server.
    • For a Cisco DNA Center multihost cluster configuration, define all individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.
  • Before you configure Cisco ISE, confirm that:
    1. You deployed Cisco ISE version 2.3 or later in your network. If you have a multihost Cisco ISE deployment, integrate with the Cisco ISE admin node.
    2. SSH is enabled on the Cisco ISE node.
    3. The pxGrid service is enabled on the Cisco ISE host with which you plan to integrate Cisco DNA Center, and the ERS service is enabled for read/write operations.
    4. The Cisco ISE GUI and Cisco ISE shell username and passwords are the same.
    5. There is no proxy configured between Cisco DNA Center and Cisco ISE. If a proxy server is configured on Cisco ISE, the Cisco DNA Center IP address must bypass that proxy server.
    6. There is no firewall between Cisco DNA Center and Cisco ISE. If there is a firewall, open the communication between Cisco DNA Center and Cisco ISE.
    7. A ping between Cisco DNA Center and Cisco ISE succeeds with both the IP address and hostname.
    8. The Cisco ISE admin node certificate contains the Cisco ISE IP address or FQDN in either the certificate subject name or the SAN.
    9. If a third-party certificate is used, the certificate includes all IP addresses in the SAN field.
    10. The pxGrid approval is set for automatic or manual approval in Cisco ISE to enable the pxGrid connection in Cisco DNA Center.

Procedure

Step 1 From the Cisco DNA Center home page, choose > System Settings > Settings > Authentication and Policy Servers.
Step 2 Click .
Step 3 Configure the primary AAA server by providing the following information: Server IP Address: IP address of the AAA server. Shared Secret: Key for device authentications. The shared secret can be up to 128 characters in length.
Step 4 To configure a AAA server (not Cisco ISE), leave the Cisco ISE Server toggle to Off and proceed to the next step. To configure a Cisco ISE server, set the Cisco ISE server toggle to On and enter information in the following fields: Cisco ISE: Setting that indicates whether the server is a Cisco ISE server. Click the Cisco ISE toggle to enable Cisco ISE. Username: Name that is used to log into the Cisco ISE CLI. Note  This user must be a Super Admin. Password: Password for the Cisco ISE CLI username. FQDN: Fully qualified domain name (FQDN) of the Cisco ISE server. Note  We recommend that you copy the FQDN that is defined in Cisco ISE (Administration > Deployment > Deployment Nodes > List) and paste it directly into this field. The FQDN that you enter must match the FQDN, Common Name (CN), or Subject Alternative Name (SAN) defined in the Cisco ISE certificate. The FQDN consists of two parts, a hostname and the domain name, in the following format: hostname.domainname.com Example: The FQDN for a Cisco ISE server can be ise.cisco.com. Subscriber Name: Unique text string that identifies a pxGrid client registering for Cisco ISE pxGrid services; for example, acme. The subscriber name is used during Cisco DNA Center-to-Cisco ISE integration. SSH Key: Diffie-Hellman-Group14-SHA1 SSH key used to connect and authenticate with Cisco ISE. Virtual IP Address(es): Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses. Note  If the status of the configured ISE server is “FAILED” due to password change, click Retry, and update the password to re-sync the ISE connectivity.
Step 5 Click View Advanced Settings and configure the settings: Protocol: TACACS and RADIUS. RADIUS is the default. You can select both protocols. Attention  If you do not choose TACAS for Cisco ISE servers, it will not be available for configuring Cisco ISE nodes. Authentication Port: Port used to relay authentication messages to the AAA server. The default is UDP port 1812. Accounting Port: Port used to relay important events to the AAA server. The information in these events is used for security and billing purposes. The default UDP port is 1813. Port: Port used by TACAS. The default port is 49. Retries: Number of times that Cisco DNA Center attempts to connect with the AAA server before abandoning the attempt to connect. The default number of attempts is 3. Timeout: Length of time the device waits for the AAA server to respond before abandoning the attempt to connect. The default timeout is 4 seconds.
Step 6 Click Add.
Step 7 To add a secondary server, repeat Step 2 through Step 6.