Cisco’s latest marketing push around intent based networking looks very interesting but I am curious to see what the uptake is like over the next 12 to 18 months. There are a lot of moving parts required for SDA (Software Defined Access) to function and I am not yet convinced that the benefits outweigh the cost and complexity of the architecture for small – medium sized networks. Time will tell.
I have recently had the opportunity to get my hands on a shiny new Cisco DNA Center appliance and some sexy new Catalyst 9K switches. DNA Center is the heart of Cisco’s Digital Network Architecture and is currently only available as a physical appliance in the form of a 1RU UCS C- Series server. It runs Ubuntu Linux as the base OS and uses Docker to house the myriad containers that provide the magic.
After successfully completing the installation of the latest version of DNA Center onto the appliance, one of the first items on my to-do list was to configure an existing ISE server as an external authentication source using TACACS. This post will cover the ISE configuration required, a follow up post will cover the actual integration steps for ISE and DNA Center.
There are a few assumptions made here:
- You already have ISE installed (I am using ISE 2.4 Patch 5).
- ISE has been configured with an External Identity Source (In this example an Active Directory instance).
- The Active Directory group containing the User Accounts you wish to have admin access to DNA Center has been added in to ISE (Administration – External Identity Sources – Active Directory – <AD Name> – Groups).
The first step is to login to the existing ISE server and create a new Device Type for the DNA Center. Go to Administration – Network Resources – Network Device Groups. Click Add and configure as below. Your ISE Device Group hierarchy may differ, the goal here is to create a unique Device Group for the Cisco DNA Center/s.
Now we need to add the DNA Center as a Network Device. Go to Administration – Network Resources – Network Devices and add a new device. Choose an appropriate name, enter the physical IP address of the DNA Center (When you configure the DNA Center during install a physical IP is specified as well as a VIP that is used for clustering. I used the physical IP address rather than the VIP of the DNA Center as that is the address that the TACACS requests are coming from), set a Location, set the Device Type to the Device Group created in the previous step and finally enter a TACACS password.
A TACACS Profile needs to be configured now. Go to Work Centers – Device Administration – Policy Elements – Results – TACACS Profiles and click Add. Enter an appropriate Name, change the Common Task Type to Generic and click Add in the Custom Attributes section. Configure as follows:
- Type: Mandatory
- Name: Cisco-AVPair
- Value: Role=SUPER-ADMIN-ROLE
VERY IMPORTANT – Make sure you click the little tick icon on the right of the Attribute form to save it (This took me a while to work out!) before you click Save.
The final step of the ISE configuration is to create the Device Admin Policy Set. Go to Work Centers – Device Administration – Device Admin Policy Sets and click the + icon.
Enter an appropriate Policy Set Name and then click the + icon in the conditions field. Configure as follows using the drop down menus in the Editor pane:
- Attribute: DEVICE Device Type
- Equals
- Attribute value: <Use the Device Group created in the first step>
Click the green Use icon in the bottom right corner.
Click the green Save icon
Click the > icon in the View column of your newly created Policy Set
Click Authentication Policy to expand it and then click the + icon to create a new policy.
Enter an appropriate name and set the Conditions as follows:
- Attribute: TACACS Service
- Equals
- Attribute value: Login
Click the green Use icon in the bottom right corner.
Set the Use field to the name of your previously configured Active Directory External Identity Source
Click Authorization Policy to expand it and then click the + icon to create a new policy.
Enter an appropriate name and set the Conditions as follows:
- Attribute: <Active Directory Name> External Groups
- Equals
- Attribute value: <Name of AD Group containing DNA Admin accounts>
Click the green Use icon in the bottom right corner.
Set the Shell Profiles field to the TACACS profile created earlier.
Click Save
That’s the ISE side complete, the next post will cover the DNA Center configuration and integration steps.
Thanks for the article, is there a link for Part 2 as I am unable to find it using the search option?
Thanks
Hi Chris
Haven’t got around to writing that one yet, it is coming soon though as I have been doing a lot of work with DNA-C lately.
Regards
Kirin
There isn’t really much to the part 2 to make it work.
On the DNA Center Appliance, do the following:
1. Go to System Settings>Settings
2. Click Authentication and Policy Servers
3. Click the + and add your server IP and the shared secret you used on the ISE box
4. Expand Advasnced settings and make sure you choose TACACS and click Apply
5. Go to System Settings>Users
6. Click External Authentication
7. Check Enable External Authentication
8. For ‘AAA Atribute’, put ‘Cisco-AVPair’
9. Click Update
10. Test the configuration by logging into the DNAC Appliance with the new credentials
Thank you both for providing the steps for the External Authentication.
Hi,
I’m using ISE v2.7 and DNAC v1.3.3.8.
I’ve configured my login scenario as described above.
On ISE everything is fine authentication and authorization are both successful. gut the DNAC says “invalid login credentials”
Any idea what’s wrong in my configuration.
Hi Michael,
You are probably hitting this bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy74456/?rfs=iqvred
Michael,
You need to use the CLI credentials for ISE
ISE 2.7 P5 has issue fixed. on P4 here is the workaround: — To workaround this issue, on ISE, rename the attribute “cisco-av-pair” to something else, such as “Cisco-Service-Info:Role=SUPER-ADMIN-ROLE,” then in the Cisco DNA Center Settings for External Authentication, configure “Cisco-Service-Info” as the AAA attribute name.