Overview

Instructions to configure AAA server and Cisco ISE for Catalyst Center.

Catalyst Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.

Before you begin

If you are using Cisco ISE to do both policy and AAA functions, make sure that Catalyst Center and Cisco ISE are integrated.
If FIPS mode is enabled for Catalyst Center, ensure that you enable KeyWrap when integrating Catalyst Center and Cisco ISE. See Step 2e in Integrate Cisco ISE with Catalyst Center.

Note

You cannot enable KeyWrap if Catalyst Center and Cisco ISE have already been integrated. To enable this feature, you need to delete Cisco ISE and then reintegrate it with Catalyst Center.
If you are using another product (not Cisco ISE) to do AAA functions, make sure to do these tasks:
- Register Catalyst Center with the AAA server, including defining the shared secret on both the AAA server and Catalyst Center.
- Define an attribute name for Catalyst Center on the AAA server.
- For a Catalyst Center multihost cluster configuration, define all individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.
Before you configure Cisco ISE, confirm that:
- You have deployed Cisco ISE on your network. For information on supported Cisco ISE versions, see the Catalyst Center Compatibility Matrix. For information on installing Cisco ISE, see the Cisco Identity Services Engine Install and Upgrade guides.
- If you have a standalone ISE deployment, you must integrate Catalyst Center with the Cisco ISE node and enable the pxGrid service and External RESTful Services (ERS) on that node.
  
  Note
  
  Although pxGrid 2.0 allows up to four pxGrid nodes in the Cisco ISE deployment, Catalyst Center releases earlier than 2.2.1.x do not support more than two pxGrid nodes.
- If you have a distributed Cisco ISE deployment:
  - You must integrate Catalyst Center with the primary policy administration node (PAN), and enable ERS on the PAN.
    
    Note
    
    We recommend that you use ERS through the PAN. However, for backup, you can enable ERS on the PSNs.
  - You must enable the pxGrid service on one of the Cisco ISE nodes within the distributed deployment. Although you can decide to do so, you do not have to enable pxGrid on the PAN. You can enable pxGrid on any Cisco ISE node in your distributed deployment.
  - The PSNs that you configure in Cisco ISE to handle TrustSec or SD Access content and PACs must also be defined in Work Centers > Trustsec > Trustsec Servers > Trustsec AAA Servers. For more information, see the Cisco Identity Services Engine Administrator Guide.
- You must enable communication between Catalyst Center and Cisco ISE on these ports: 443, 5222, 8910, and 9060.
- The Cisco ISE host on which pxGrid is enabled must be reachable from Catalyst Center on the IP address of the Cisco ISE eth0 interface.
- The Cisco ISE node can reach the fabric underlay network via the appliance's NIC.
- The Cisco ISE admin node certificate must contain the Cisco ISE IP address or FQDN in either the certificate subject name or the Subject Alternative Name (SAN).
- The Catalyst Center system certificate must list both the Catalyst Center appliance IP address and FQDN in the SAN field.
  
  Note
  
  For Cisco ISE 2.4 Patch 13, 2.6 Patch 7, and 2.7 Patch 3, if you are using the Cisco ISE default self-signed certificate as the pxGrid certificate, Cisco ISE might reject that certificate after applying those patches. This is because the older versions of that certificate have the Netscape Cert Type extension specified as the SSL server, which now fails (because a client certificate is required).
  
  This issue does not occur in Cisco ISE 3.0 and later. For more information, see the Cisco ISE Release Notes.

Procedure

	1.	From the main menu, choose System > Settings > External Services > Authentication and Policy Servers.
	2.	From the Add drop-down list, select AAA or ISE.
	3.	To configure the primary AAA server, enter this information: Server IP Address: IP address of the AAA server. Shared Secret: Key for device authentications. The shared secret can contain up to 100 characters.
	4.	To configure a Cisco ISE server, enter these details: Server IP Address: IP address of the ISE server. Shared Secret: Key for device authentications. Username: Username that is used to log in to the Cisco ISE CLI. Note This user must be a Super Admin. Password: Password for the Cisco ISE CLI username. FQDN: Fully qualified domain name (FQDN) of the Cisco ISE server. Note We recommend that you copy the FQDN that is defined in Cisco ISE (Administration > Deployment > Deployment Nodes > List) and paste it directly into this field. The FQDN that you enter must match the FQDN, Common Name (CN), or Subject Alternative Name (SAN) defined in the Cisco ISE certificate. The FQDN consists of two parts, a hostname and the domain name, in this format: hostname.domainname.com For example, the FQDN for a Cisco ISE server can be ise.cisco.com. Virtual IP Address(es): Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses.
	5.	Click Advanced Settings and configure the settings: Connect to pxGrid: Check this check box to enable a pxGrid connection. If you want to use the Catalyst Center system certificate as the pxGrid client certificate (sent to Cisco ISE to authenticate the Catalyst Center system as a pxGrid client), check the Use Catalyst Center Certificate for pxGrid check box. You can use this option if all the certificates that are used in your operating environments must be generated by the same CA. If this option is disabled, Catalyst Center will send a request to Cisco ISE to generate a pxGrid client certificate for the system to use. When you enable this option, ensure that: The Catalyst Center certificate is generated by the same Certificate Authority (CA) as is in use by Cisco ISE (otherwise, the pxGrid authentication fails). The Certificate Extended Key Use (EKU) field includes "Client Authentication." Protocol: TACACS and RADIUS (the default). You can select both protocols. If you do not enable TACAS for a Cisco ISE server here, you cannot configure the Cisco ISE server as a TACACS server under Design > Network Settings > Network when configuring a AAA server for network device authentication. Authentication Port: Port used to relay authentication messages to the AAA server. The default UDP port is 1812. Accounting Port: Port used to relay important events to the AAA server. The default UDP port is 1813. Port: The default TACACS port is 49. Retries: Number of times that Catalyst Center attempts to connect with the AAA server before abandoning the attempt to connect. The default number of attempts is 3. Timeout: The time period for which the device waits for the AAA server to respond before abandoning the attempt to connect. The default timeout is 4 seconds. Note After the required information is provided, Cisco ISE is integrated with Catalyst Center in two phases. It takes several minutes for the integration to complete. The phase-wise integration status is shown in the Authentication and Policy Servers window and System 360 window: Cisco ISE server registration phase: Authentication and Policy Servers window: "In Progress" System 360 window: "Primary Available" pxGrid subscriptions registration phase: Authentication and Policy Servers window: "Active" System 360 window: "Primary Available" and "pxGrid Available" If the status of the configured Cisco ISE server is shown as "FAILED" due to a password change, click Retry, and update the password to resynchronize the Cisco ISE connectivity.
	6.	Click Add.
	7.	To add a secondary server, repeat the preceding steps.

Configure authentication and policy servers

Overview

Before you begin

Procedure

Need help?