Cisco DNA: Integration with ISE PxGrid service

This task is fairly easy on a single ISE instance that runs all the services but is not as simple with ISE distributed deployment. Follow these step to have it successfully integrated.

Cisco DNA: 1.2.3
Cisco ISE: 2.3 p4

First of all, make sure your ISE pxGrid node is working properly. You can follow these post to get pxGrid setup in distributed ISE deployment.

Next, add ISE to DNA. Before you start make sure of the following:

  • ISE cli and GUI admin username and passwords are the same
  • DNA can resolve ISE Admin node by FQDN. If not, the quickest way to fix it is to modify host file.

Add ISE to DNA under System > System Settings > Settings > Authentication and Policy Servers. Use the following information to populate these fields.

  • Server IP address – ISE PAN/Admin node IP
  • Shared Secret – any value
  • Cisco ISE server – check to enable
  • Username – Admin’s node Admin username (must match cli and GUI)
  • Password – Admin’s node Admin password
  • FQDN – ISE PAN/Admin node FQDN (make sure it resolves from DNA)
  • Subscriber name – any name

If you have ISE TACACS license then expand advance settings and check TACACS option.

Apply ISE settings.

At this point, it will take a few minutes for two systems to establish communication. ISE status on DNA  will eventually turn to Active. On ISE, go to pxGrid Services and check for Pending clients. You should see one pending (unless auto approval is enabled), select Approve All and DNA should show up under Online clients.

ISE status on DNA under System 360 tab should be all green.

I ran into an issue where communication with pxGrid node was failing.

I pulled pxGrid logs from ISE and found these relevant entries.

TCPSocketStream::_doSSLHandshake] [] Failure performing SSL handshake: 1
[BasicSocket.cpp:483] [] Closing Socket: 0x00007fc03006b6a0, IP: DNA_IP Port: 46462

Issue was related to SSL failure because of an unknown certificate chain presented by the server. On ISE Certificate page pxGrid service was associated with default self-signed certificate which was not correct. I’ve re-associated pxGrid service with the dedicated self-signed cert, re-added ISE node to DNA and issue was resolved.

Give it a few minutes and contextual data should be populating on the Client Health page.


Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar