Cisco ISE has three use cases with Cisco DNA Center:
Cisco ISE can be used as a AAA (pronounced "triple A") server for user, device, and client authentication. If you are not using access
control policies, or are not using Cisco ISE as a AAA server for device authentication, you do not have to install and configure Cisco ISE.
Access control policies use Cisco ISE to enforce access control. Before you create and use access control policies, integrate Cisco DNA Center and Cisco ISE. The process involves installing and configuring Cisco ISE with specific services, and configuring Cisco ISE settings in Cisco DNA Center. For more information about installing and configuring Cisco ISE with Cisco DNA Center, see the Cisco DNA Center Installation Guide.
If your network uses Cisco ISE for user authentication, configure Assurance for Cisco ISE integration. This integration lets you see more information about wired clients, such as the username and operating system,
in Assurance. For more information, see "About Cisco ISE Configuration for Cisco DNA Center" in the Cisco DNA Assurance User Guide.
After Cisco ISE is successfully registered and its trust established with Cisco DNA Center, Cisco DNA Center shares information with Cisco ISE. Cisco DNA Center devices that are assigned to a site that is configured with Cisco ISE as its AAA server have their inventory data propagated to Cisco ISE. Additionally, any updates on these Cisco DNA Center devices (for example, device credentials) in Cisco DNA Center also updates Cisco ISE with the changes.
If a Cisco DNA Center device associated to a site with Cisco ISE as its AAA server is not propagated to Cisco ISE as expected, Cisco DNA Center automatically retries after waiting for a specific time interval. This subsequent attempt occurs when the initial Cisco DNA Center device push to Cisco ISE fails due to any networking issue, Cisco ISE downtime, or any other auto correctable errors. Cisco DNA Center attempts to establish eventual consistency with Cisco ISE by retrying to add the device or update its data to Cisco ISE. However, a retry is not attempted if the failure to propagate the device or device data to Cisco ISE is due to a rejection from Cisco ISE itself, as a input validation error.
If you change the RADIUS shared secret for Cisco ISE, Cisco ISE does not update Cisco DNA Center with the changes. To update the shared secret in Cisco DNA Center to match Cisco ISE, edit the AAA server with the new password. Cisco DNA Center downloads the new certificate from Cisco ISE, and updates Cisco DNA Center.
Cisco ISE does not share existing device information with Cisco DNA Center. The only way for Cisco DNA Center to know about the devices in Cisco ISE is if the devices have the same name in Cisco DNA Center; Cisco DNA Center and Cisco ISE uniquely identify devices for this integration through the device's hostname variable.
The process that propagates Cisco DNA Center inventory devices to Cisco ISE and updates the changes to it are all captured in the Cisco DNA Center audit logs. If there are any issues in the Cisco DNA Center-to-Cisco ISE workflow, view the audit logs in the Cisco DNA Center GUI for information.
Cisco DNA Center integrates with the primary Administration ISE node. When you access Cisco ISE from Cisco DNA Center, you connect with this node.
Cisco DNA Center polls Cisco ISE every 15 minutes. If the Cisco ISE server is down, (In the Cisco DNA Center GUI, click the Menu icon () and choose > System > System 360) shows the Cisco ISE server as red (unreachable).
When the Cisco ISE server is unreachable, Cisco DNA Center increases polling to 15 seconds, and then doubles the polling time to 30 seconds, 1 minute, 2 minutes, 4 minutes, and so
on, until it reaches the maximum polling time of 15 minutes. Cisco DNA Center continues to poll every 15 minutes for 3 days. If Cisco DNA Center does not regain connectivity, it stops polling and updates the Cisco ISE server status to Untrusted. If this happens, you will need to reestablish trust between Cisco DNA Center and the Cisco ISE server.
Review the following additional requirements and recommendations to verify Cisco DNA Center and Cisco ISE integration:
Cisco DNA Center and Cisco ISE integration is not supported over a proxy server. If you have Cisco ISE configured with a proxy server in your network, configure Cisco DNA Center such that it does not use the proxy server; it can do this by bypassing the proxy server's IP address.
Cisco DNA Center and Cisco ISE integration is not currently supported through a Cisco DNA Center virtual IP address (VIP). If you are using an enterprise CA-issued certificate for Cisco DNA Center, make sure the Cisco DNA Center certificate includes the IP addresses of all interfaces on Cisco DNA Center in the Subject Alternative Name (SAN) extension. If Cisco DNA Center is a three-node cluster, the IP addresses of all interfaces from all three nodes must be included in the SAN extension of
the Cisco DNA Center certificate.
Cisco DNA Center needs access to both the Cisco ISE CLI (through an Ethernet routing switch) and GUI (through an SSH connection). Because you can define only one set of Cisco ISE credentials in Cisco DNA Center, make sure these credentials are the same for both the Cisco ISE GUI and CLI user accounts.
Disable password expiry for the Admin user in Cisco ISE. Alternatively, make sure that you update the password before it expires. For more information, see the Cisco Identity Services Engine Administrator Guide.
When the Cisco ISE certificate changes (password, expiration, etc.), Cisco DNA Center must be updated. To do that, edit the AAA Server (Cisco ISE), reenter the password, and save. This forces Cisco DNA Center to download the certificate chain for the new admin certificate from Cisco ISE, and update Cisco DNA Center. If you are using Cisco ISE in High Availability mode, and the admin certificate changes on either the primary or secondary administrative node, you
must update Cisco DNA Center. Cisco DNA Center connects to Cisco ISE via SSH and runs CLI to get the certificate info.
Cisco DNA Center configures certificates for itself and for Cisco ISE to connect over pxGrid. You can use other certificates with pxGrid for connections to other pxGrid clients, such as Firepower.
These other connections will not interfere with the Cisco DNA Center and Cisco ISE pxGrid connection.
To change the RADIUS Secret Password: You provided the secret password when you configured Cisco ISE as an AAA Server on the System > Settings > External Services > Authentication and Policy Servers page. To change the secret password, navigate to Design > Network Settings > Network, and click the Change Shared Secret link. This causes Cisco ISE to use the new secret password when connecting to network devices managed by Cisco DNA Center.