Cisco Catalyst Center Third-Generation Appliance Installation Guide, Release 3.1.x

PDF

Integrate Cisco ISE with Catalyst Center

Updated: April 3, 2026

Want to summarize with AI?

Log in

Overview

Explains how to integrate Cisco ISE and Catalyst Center.

Catalyst Center provides a mechanism to create a trusted communications link with Cisco ISE and to share data with Cisco ISE in a secure manner. After Cisco ISE is registered with Catalyst Center, any device that Catalyst Center discovers, along with relevant configuration and other data, is pushed to Cisco ISE. You can use Catalyst Center to discover devices and then apply both Catalyst Center and Cisco ISE functions to them because these devices will be displayed in both the applications. Catalyst Center and Cisco ISE devices are all uniquely identified by their device names.

As soon as the devices are provisioned and assigned to a particular site in the Catalyst Center site hierarchy, Catalyst Center devices are pushed to Cisco ISE. Any updates to a Catalyst Center device (such as changes to IP address, SNMP or CLI credentials, Cisco ISE shared secret, and so on) will be sent to the corresponding device instance on ISE automatically.

Note

Catalyst Center devices are pushed to Cisco ISE only when these devices are associated with a particular site where Cisco ISE is configured as its AAA server.

Before you begin

Before attempting to integrate Cisco ISE with Catalyst Center, ensure that you have met these prerequisites:

  • You have deployed one or more Cisco ISE hosts on your network. For information on supported Cisco ISE versions, see the Catalyst Center Compatibility Matrix. For information on installing Cisco ISE, see the Cisco Identity Services Engine Install and Upgrade guides.

  • If you have a standalone Cisco ISE deployment, you must integrate Catalyst Center with the Cisco ISE node and enable the pxGrid service and External RESTful Services (ERS) on that node.

    Note

    Although pxGrid 2.0 allows up to four pxGrid nodes in the Cisco ISE deployment, Catalyst Center releases earlier than 2.2.1.x do not support more than two pxGrid nodes.

  • If you have a distributed Cisco ISE deployment:

    • You must integrate Catalyst Center with the primary policy administration node (PAN), and enable ERS on the PAN.

      Note

      We recommend that you use ERS through the PAN. However, for backup, you can enable ERS on the PSNs.

    • You must enable the pxGrid service on one of the Cisco ISE nodes within the distributed deployment. Although you can decide to do so, you do not have to enable pxGrid on the PAN. You can enable pxGrid on any Cisco ISE node in your distributed deployment.

    • The PSNs that you configure in Cisco ISE to handle TrustSec or SD Access content and PACs must also be defined in Work Centers > Trustsec > Trustsec Servers > Trustsec AAA Servers. For more information, see the Cisco Identity Services Engine Administrator Guide.

  • Only a user with Super Admin role permissions can integrate Cisco ISE with Catalyst Center.

  • Catalyst Center does not support ERS API access if the Use CSRF Check for Enhanced Security option is enabled in Cisco ISE.

  • You must enable communication between Catalyst Center and Cisco ISE on these ports: 443, 5222, 8910, and 9060.

  • The Cisco ISE host on which pxGrid is enabled must be reachable from Catalyst Center on the IP address of the Cisco ISE eth0 interface.

  • The Cisco ISE node can reach the fabric underlay network via the appliance's NIC.

  • Catalyst Center will check the certificate revocation status if Online Certificate Status Protocol (OCSP) or certificate revocation list (CRL) validation is defined for the certificates used by the Cisco ISE services.

  • The Cisco ISE admin node certificate must contain the Cisco ISE IP address or FQDN in either the certificate subject name or the Subject Alternative Name (SAN).

  • Your ability to use an FQDN-only system certificate depends on whether LAN automation is enabled in your Catalyst Center deployment. For more information, see the alt_names section bullet in Step 3 of the Catalyst Center Security Best Practices Guide's "Generate a Certificate Request Using Open SSL" topic.

    Note

    For Cisco ISE 2.4 Patch 13, 2.6 Patch 7, and 2.7 Patch 3, if you are using the Cisco ISE default self-signed certificate as the pxGrid certificate, Cisco ISE might reject that certificate after applying those patches. This is because the older versions of that certificate have the Netscape Cert Type extension specified as the SSL server, which now fails (because a client certificate is required).

    This issue does not occur in Cisco ISE 3.0 and later. For more information, see the Cisco ISE Release Notes.

For more information about configuring Cisco ISE for Catalyst Center, see the "Integration with Catalyst Center" topic in the Cisco Identity Services Engine Administrator Guide.

Procedure

1.

Enable the pxGrid service and ERS on Cisco ISE:

  1. Log in to the primary policy administration node.

  2. In the Cisco ISE GUI, click the menu icon and choose Administration > System > Deployment.

    The Deployment Nodes window appears.

  3. Click the hostname of the Cisco ISE node on which you want to enable the pxGrid service. In a distributed deployment, this can be any Cisco ISE node in the deployment.

    The Edit Node window appears.

  4. In the General Settings tab, check the pxGrid check box, and click Save.

  5. In the Cisco ISE GUI, click the menu icon and choose Administration > System > Settings.

  6. From the left navigation pane, choose API Settings > API Service Settings.

  7. Enable ERS (Read/Write) and click OK.

  8. Click Save.
2.

Add the Cisco ISE node to Catalyst Center as a AAA server:

  1. Log in to the Catalyst Center GUI.

  2. From the main menu, choose System > System 360.

  3. In the Identity Services Engine (ISE) pane, click the Configure link.

  4. From the Authentication and Policy Servers window, click Add and select ISE from the drop-down list.

  5. Enter these details in the Add ISE server slide-in pane:

    • In the Server IP Address field, enter the IP address of the Cisco ISE server.

    • Enter the Shared Secret used to secure communications between your network devices and Cisco ISE.

    • In the Username and Password fields, enter the corresponding Cisco ISE admin credentials.

    • Enter the FQDN for the Cisco ISE node.

    • (Optional) Enter the virtual IP address of the load balancer behind which the Cisco ISE PSNs are located. If you have multiple policy service node farms behind different load balancers, you can enter a maximum of six virtual IP addresses.

    • Connect to pxGrid: Check this check box under Advanced Settings to enable pxGrid connection.

      If you want to use the Catalyst Center system certificate as the pxGrid client certificate (sent to ISE to authenticate the Catalyst Center system as a pxGrid client), check the Use Catalyst Center Certificate for pxGrid check box. You can use this option if all the certificates that are used in your operating environments must be generated by the same Certificate Authority (CA). If this option is disabled, Catalyst Center will send a request to Cisco ISE to generate a pxGrid client certificate for the system to use.

      When you enable this option, ensure that:

      • The Catalyst Center certificate is generated by the same CA as is in use by Cisco ISE (otherwise the pxGrid authentication will fail).

      • The Certificate Extended Key Use (EKU) field includes “Client Authentication”.

      • In the Advanced Settings area:

        • You can select the protocol that must be used by checking the check box for RADIUS or TACACS

        • Enter the required values in these fields: Authentication Port, Accounting Port, Retries, and (Timeout seconds).

      Note

      This option is available only if third-party certificates are used by Catalyst Center. If Catalyst Center uses the default self-signed system certificate, this option is disabled.

  6. Click Add.

When the integration with Cisco ISE is initiated, you will see a notification that the certificate from Cisco ISE is not yet trusted. You can view the certificate to see the details.

Click Accept to trust the certificate and continue with the integration process, or select Decline if you do not wish to trust the certificate and terminate the integration process.

After the integration completes successfully, a confirmation message is displayed.

If there is any issue in the integration process, an error message is displayed. An option to edit or retry is displayed where applicable.

  • If the error message says that the Cisco ISE Admin credentials are invalid, click Edit and re-enter the correct information.

  • If errors are found with certificates in the integration process, you must delete the Cisco ISE server entry and restart the integration from the beginning after the certificate issue has been resolved.
3.

Verify that Catalyst Center is connected to Cisco ISE, and that the Cisco ISE SGT groups and devices are pushed to Catalyst Center:

  1. Log in to the Catalyst Center GUI.

  2. From the main menu, choose System > System 360.

  3. In the Identity Services Engine (ISE) pane, verify that the status of all listed ISE servers is displayed as Available or Configured.

  4. In the Identity Services Engine (ISE) pane, click the Update link.

  5. From the Authentication and Policy Servers window, verify that the status of the Cisco ISE AAA server is still Active.
4.

Verify that Cisco ISE is connected to Catalyst Center and that the connection has subscribers:

  1. Log in to the Cisco ISE nodes that are shown as pxGrid servers in the Identity Services Engine (ISE) pane.

  2. Choose Administration > pxGrid Services and click the Web Clients tab.

    You should see the pxGrid clients in the list with the IP address of the Catalyst Center server.

Group-Based Access Control: policy data migration and synchronization

When you start using Catalyst Center

In earlier releases of Catalyst Center, the Group-Based Access Control policy function stored some policy Access Contracts and Policies locally in Catalyst Center. Catalyst Center also propagated that data to Cisco ISE. Cisco ISE provides the runtime policy services to the network, which includes group-based access control policy downloads to the network devices. Usually, the policy information in Catalyst Center matches the policy information in Cisco ISE. But it is possible that the data is not in sync; the data may not be consistent. Because of this, after installing or upgrading to Catalyst Center, these steps are necessary before you can use the Group-Based Access Control capabilities.

  • Integrate Cisco ISE with Catalyst Center, if it is not already integrated.

  • Upgrade Cisco ISE, if the version is not the minimum required. See the Catalyst Center Release Notes for the required versions of Cisco ISE.

  • Do Policy Migration and Synchronization.

What is “migration and synchronization”?

Catalyst Center reads all the Group-Based Access Control policy data in the integrated Cisco ISE and compares that data with the policy data in Catalyst Center. If you upgraded from an earlier version, existing policy data is retained. You must synchronize the policies before you can manage Group-Based Access Control Policy in Catalyst Center.

How does migration and synchronization work?

Usually, the policy data in Cisco ISE and in Catalyst Center is consistent, so no special handling or conversion of data is necessary. Sometimes, when there are minor discrepancies or inconsistencies, only some of the data is converted during the migration. If there is a conflict, the data in Cisco ISE is given precedence, so as not to introduce changes in policy behavior in the network. This list describes the actions taken during migration:

  • Security Groups: The Security Group Tag (SGT), which is a numeric value, uniquely identifies a Security Group. Cisco ISE Security Groups are compared to Security Groups in Catalyst Center.

    • When the Name and SGT value are the same, nothing is changed. The information in Catalyst Center is consistent with Cisco ISE and does not need to be changed.

    • When a Cisco ISE Security Group SGT value does not exist in Catalyst Center, a new Security Group is created in Catalyst Center. The new Security Group is given the default association of “Default_VN.”

    • When a Cisco ISE Security Group SGT value exists in Catalyst Center, but the names do not match, the name from Cisco ISE Security Group replaces the name of that Security Group in Catalyst Center.

    • When the Cisco ISE Security Group Name is the same, but the SGT value is different, the Security Group from Cisco ISE is migrated. It retains the name and tag value, and the Catalyst Center Security Group is renamed. A suffix of “_DNA” is added.

Contracts

All the SGACLs in Cisco ISE that are referenced by policies are compared to Contracts in Catalyst Center.

  • When the SGACL and Contract have the same name and content, there is no need for further action. The information in Catalyst Center is consistent with Cisco ISE and does not need to be changed.

    • When the SGACL and Contract have the same name, but the content is different, the SGACL content from Cisco ISE is migrated. The previous Contract content in Catalyst Center is discarded.

When the SGACL name does not exist in Catalyst Center, a new Contract with that name is created, and the SGACL content from Cisco ISE is migrated.

Note

When creating new Access Contracts based on Cisco ISE SGACL content, Catalyst Center parses the text command lines, and, where possible, renders these SGACL commands as a modeled Access Contract. Each ACE line renders as an “Advanced” application line. If a Cisco ISE SGACL contains text that cannot be parsed successfully, the text content of the SGACL is not converted into modeled format. It is stored as raw command line text. These SGACL text contracts may be edited, but no parsing or syntax checking of the text content is done during migration.

Policies

A Policy is uniquely identified by a source group-destination group pair. All Cisco ISE TrustSec Egress Policy Matrix policies are compared to the policies in Catalyst Center.

  • When a policy for a source group-destination group references the same SGACL/Contract name in Cisco ISE, no changes are made.

  • When a policy for a source group-destination group references a different SGACL/Contract name in Cisco ISE, the Cisco ISE Contract name is referenced in the policy. This overwrites the previous Contract reference in Catalyst Center.

  • The Cisco ISE default policy is checked and migrated to Catalyst Center.

Note

Catalyst Center supports a single contract in access policies. Cisco ISE has an option to use multiple SGACLs in access policies, but this option is not enabled by default in Cisco ISE, and in general is not widely used. Existing SDA customers who have been using the previous release of Catalyst Center to manage Group-Based Access Control policy did not use this option.

If you enabled the option to allow multiple SGACLs on Cisco ISE and used this when creating policies, those policies cannot be migrated to Catalyst Center in this release. The specific policy features that make use of the “multiple SGACL” option and cannot be migrated are:

  • Multiple SGACLs in a policy.

  • Policy Level catch-all rules set to “Permit” or “Deny.” Only the value of “None” is currently supported for migration to Catalyst Center.

  • Default Policy set to use a customer-created SGACL, but only the standard values of “Permit IP,” “Permit_IP_Log,” “Deny IP,” and “Deny_IP_Log” are currently supported for migration to Catalyst Center.

If any of the preceding SGACLs are detected during the policy migration and synchronization operation, a notification is generated, and you must select between these options to continue:

  • Manage Group-Based Access Control policy in Catalyst Center: If this option is selected, all management of Group-Based Access Control Policy is done in Catalyst Center. The user interface screens in Cisco ISE for management of Cisco ISE Security Groups, SGACLs, and Egress Policies are available in Read-Only mode. If there were any issues migrating policies (due to use of multiple SGACLs in Cisco ISE), those policies have no contract selected in Catalyst Center. The policy uses the default policy, and you can select a new contract for those policies after completing the migration. If there was an problem migrating the default policy, the default policy is set to "Permit."

  • Manage Group-Based Access Control Policy in Cisco ISE: If this option is selected, Catalyst Center Group-Based Access Control policy management is inactive. No changes are made to Cisco ISE and there is no effect on policy enforcement in the network. Group-Based Access Control policy is managed in Cisco ISE at the TrustSec workcenter.

  • Manage Group-Based Access Control policy in both Catalyst Center and Cisco ISE: This option is not recommended for general use, because policy changes made in Cisco ISE are not synchronized with Catalyst Center. The two systems cannot be kept in sync. This option is intended as a short-term or interim option, and should only be considered when you enabled the “Allow Multiple SGACLs” option in Cisco ISE. Use this option if you need more time and flexibility updating Cisco ISE.