Cisco DNA Center external Authentication using ISE TACACS – Part 1

Cisco’s latest marketing push around intent based networking looks very interesting but I am curious to see what the uptake is like over the next 12 to 18 months. There are a lot of moving parts required for SDA (Software Defined Access) to function and I am not yet convinced that the benefits outweigh the cost and complexity of the architecture for small – medium sized networks. Time will tell.

I have recently had the opportunity to get my hands on a shiny new Cisco DNA Center appliance and some sexy new Catalyst 9K switches. DNA Center is the heart of Cisco’s Digital Network Architecture and is currently only available as a physical appliance in the form of a 1RU UCS C- Series server. It runs Ubuntu Linux as the base OS and uses Docker to house the myriad containers that provide the magic.

After successfully completing the installation of the latest version of DNA Center onto the appliance, one of the first items on my to-do list was to configure an existing ISE server as an external authentication source using TACACS. This post will cover the ISE configuration required, a follow up post will cover the actual integration steps for ISE and DNA Center.

There are a few assumptions made here:

  • You already have ISE installed (I am using ISE 2.4 Patch 5).
  • ISE has been configured with an External Identity Source (In this example an Active Directory instance).
  • The Active Directory group containing the User Accounts you wish to have admin access to DNA Center has been added in to ISE (Administration – External Identity Sources – Active Directory – <AD Name> – Groups).

The first step is to login to the existing ISE server and create a new Device Type for the DNA Center. Go to Administration – Network Resources – Network Device Groups. Click Add and configure as below. Your ISE Device Group hierarchy may differ, the goal here is to create a unique Device Group for the Cisco DNA Center/s.

Now we need to add the DNA Center as a Network Device. Go to Administration – Network Resources – Network Devices and add a new device. Choose an appropriate name, enter the physical IP address of the DNA Center (When you configure the DNA Center during install a physical IP is specified as well as a VIP that is used for clustering. I used the physical IP address rather than the VIP of the DNA Center as that is the address that the TACACS requests are coming from), set a Location, set the Device Type to the Device Group created in the previous step and finally enter a TACACS password.

A TACACS Profile needs to be configured now. Go to Work Centers – Device Administration – Policy Elements – Results – TACACS Profiles and click Add. Enter an appropriate Name, change the Common Task Type to Generic and click Add in the Custom Attributes section. Configure as follows:

  • Type: Mandatory
  • Name: Cisco-AVPair
  • Value: Role=SUPER-ADMIN-ROLE

VERY IMPORTANT – Make sure you click the little tick icon on the right of the Attribute form to save it (This took me a while to work out!) before you click Save.

The final step of the ISE configuration is to create the Device Admin Policy Set. Go to Work Centers – Device Administration – Device Admin Policy Sets and click the + icon.

Enter an appropriate Policy Set Name and then click the + icon in the conditions field. Configure as follows using the drop down menus in the Editor pane:

  • Attribute: DEVICE Device Type
  • Equals
  • Attribute value: <Use the Device Group created in the first step>

Click the green Use icon in the bottom right corner.
Click the green Save icon
Click the > icon in the View column of your newly created Policy Set

Click Authentication Policy to expand it and then click the + icon to create a new policy.
Enter an appropriate name and set the Conditions as follows:

  • Attribute: TACACS Service
  • Equals
  • Attribute value: Login

Click the green Use icon in the bottom right corner.
Set the Use field to the name of your previously configured Active Directory External Identity Source


Click Authorization Policy to expand it and then click the + icon to create a new policy.

Enter an appropriate name and set the Conditions as follows:

  • Attribute: <Active Directory Name> External Groups
  • Equals
  • Attribute value: <Name of AD Group containing DNA Admin accounts>

Click the green Use icon in the bottom right corner.
Set the Shell Profiles field to the TACACS profile created earlier.
Click Save

That’s the ISE side complete, the next post will cover the DNA Center configuration and integration steps.

2 Comments on "Cisco DNA Center external Authentication using ISE TACACS – Part 1"


  1. Thanks for the article, is there a link for Part 2 as I am unable to find it using the search option?

    Thanks

    Reply

    1. Hi Chris

      Haven’t got around to writing that one yet, it is coming soon though as I have been doing a lot of work with DNA-C lately.

      Regards

      Kirin

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *