Configure DNA Center Assurance for Cisco ISE Integration If your network uses Cisco ISE for user authentication, you can configure DNA Center Assurance for Cisco ISE integration. This will allow you to see more information about wired clients, such as the username and operating system, in DNA Center Assurance. See the following topics: Generate Keystore File, on page 1 Generate Truststore File, on page 3 DNA Center Assurance and Cisco ISE Integration, on page 4 Generate Keystore File Use this procedure to generate the Keystore file. The keystore.jks file that is generated contains certificates, which DNA Center uses to communicate with ISE. Before you begin Note You must have Java Keytool installed to complete this procedure. Procedure Step 1 Log into Cisco ISE. Step 2 From the Cisco ISE home page, choose Administration > pxgrid Services > Certificates. The Generate pxgrid Certificates page opens. Step 3 a) From the I want to drop-down list, choose Generate cert (without certificate signing request). b) In the Common Name (CN) field, enter the name of the DNA Center server including domain name. For example, dnac.yourdomain.com. c) From the Subject Alternative Name (SAN) drop-down list, choose IP address, and then enter the DNA Center IP address in the field provided. 1
Generate Keystore File d) From the Certificate Download Format drop-down list, choose PKCS format (including certificate chain; one file for both the certificate name and key). e) In the Certificate Password field, enter a unique password. f) In the Confirm Password field, enter the password again. Save this password. You will need to use this password when you configure DNA Center Assurance for ISE integration. g) Click Create. A Zip file is generated. h) Extract the files from the Zip file. Step 4 From a terminal prompt, do the following: a) Go to the directory where you extracted the files. $ cd /home/user/certificate b) Enter the following command: keytool -v -list -storetype pkcs12 -keystore filename -storepass certificate-password grep i alias $ keytool -v -list -storetype pkcs12 -keystore DNAC.cisco.com_192.168.0.1.p12 -storepass Cisco123 grep -i alias Alias name: dnac.cisco.com_192.168.0.1 An Alias Name is generated. c) Copy the Alias Name. d) Enter the following command: keytool -importkeystore -srckeystore filename -srcstoretype pkcs12 -srcalias alias name -destkeystore keystore.jks -deststoretype jks -deststorepass certificate-password -destalias Keystore $ keytool -importkeystore -srckeystore DNAC.cisco.com_192.168.0.1.p12 -srcstoretype pkcs12 -srcalias dnac.cisco.com_192.168.0.1 -destkeystore keystore.jks -deststoretype jks -deststorepass Cisco123 -destalias Keystore e) At the Enter the source keystore password: prompt, enter the Certificate Password that you entered in Step 3 e. The keystore.jks file is created in the same folder where you extracted the files. The keystore.jks file that is generated contains certificates, which DNA Center uses to communicate with ISE. What to do next Generate the Trustore file. See Generate Truststore File, on page 3. Configure DNA Center Assurance for Cisco ISE integration. See DNA Center Assurance and Cisco ISE Integration, on page 4. 2
Generate Truststore File Generate Truststore File Use this procedure to generate the Truststore file. The truststore.jks keystore file that is generated contains ISE certificates, which allow DNA Center to validate the ISE server in all communications. Before you begin Make sure you have generated the Keystore file. See Generate Keystore File, on page 1. Note You must have Java Keytool installed to complete this procedure. Procedure Step 1 Step 2 Log into Cisco ISE From the Cisco ISE home page, choose Administration > pxgrid Services > Certificates. The Generate pxgrid Certificates page opens. Step 3 Step 4 a) From the I want to drop-down list, choose Download Root Certificate Chain. b) In the Host Name field, enter a host name. c) From the Certificate Download Format drop-down list, choose Certificate in Privacy Enhanced Electronic Mail (PEM) format, key in PKSCB format (including certificate chain). d) Click Create. A Zip file is generated. e) Extract the four files from the Zip file. From a terminal prompt, do the following: a) Go to the directory where you extracted the files. $ cd /home/user/certificate b) Enter the following command: keytool -importcert -file filename -keystore truststore.jks -alias filename-without-extension c) At the Enter the keystore password: prompt, enter the Certificate Password that you created when you generated the Keystore file. See Generate Keystore File, on page 1. d) At the Re-enter the new password: prompt, enter the password to confirm it. e) At the Trust this certificate? [no:prompt, enter yes. The certificate is added to Keystore. The truststore.jks keystore file that is generated contains ISE certificates, which allow DNA Center to validate the ISE server in all communications. f) Repeat Step 4 for each of the extracted files. The truststore.jks file is created in the same folder where you extracted the files. The ISE server certificate chain is added to the truststore.jks file. 3
DNA Center Assurance and Cisco ISE Integration $ keytool -importcert -file CertificateServicesEndpointSubCA-dnac-ise-01_.cer -keystore truststore.jks -alias CertificateServicesEndpointSubCA-dnac-ise-01_ Enter keystore password: Re-enter new password: Owner: CN=Certificate Services Endpoint Sub CA - dnac-ise-01 Issuer: CN=Certificate Services Node CA - dnac-ise-01 Serial number: 9a91659bf1546c19e8ccd43fb4b6b62 Valid from: Sat Sep 16 11:59:43 PDT 2017 until: Fri Sep 17 11:59:40 PDT 2027 Certificate fingerprints: SHA1: 6D:F5:B6:8F:E2:21:D5:91:44:23:28:7B:59:71:34:23:03:8F:F2:99 SHA256: 1A:8D:54:73:48:E6:2B:40:8A:64:AB:04:98:40:C9:C0:EB:07:28:54:C4:0C:4F:DD:7D:66:FA:5B:EB:C6:54:ED Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA k Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 5A 8A 8D 1B 32 3B 41 31 93 BF 12 E6 53 44 9E 52 Z...2;A1...SD.R 0010: 07 0E F1 E2... [CN=Certificate Services Root CA - dnac-ise-01 SerialNumber: [ 332cc5aa 641e4b8a a6b0cf67 a0ac24bd #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 #3: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 72 3C 5F 26 5F D4 7A AF 17 85 2B 72 C9 C3 82 16 r<_&_.z...+r... 0010: 0D 46 FE 48.F.H Trust this certificate? [no: yes Certificate was added to keystore What to do next Configure DNA Center Assurance for Cisco ISE integration. See DNA Center Assurance and Cisco ISE Integration, on page 4. DNA Center Assurance and Cisco ISE Integration Before you begin Make sure you have generated the Keystore file. See Generate Keystore File, on page 1. 4
DNA Center Assurance and Cisco ISE Integration Make sure you have generated the Trustore file. See Generate Truststore File, on page 3. Procedure Step 1 From the DNA Center Home page, choose > System Settings > Data Platform > Collectors. The Collectors page appears. Step 2 Click Collector-ISE. The Collector-ISE page appears. Step 3 Click + Add. The ISE Collector Configuration page appears. Step 4 a) In the ISE Service IP Address field, enter the IP address of the ISE server. b) In the Username field, enter the ISE username. c) In the Password field, enter the ISE password. d) From the Truststore File area, click Browse, and then upload the Truststore file. e) In the Truststore Passphrase field, enter the Certificate Password. f) From the Keystore File area, click Browse, and then upload the Keystore file. g) In the Keystore Passphrase field, enter the Certificate Password. You created the Certificate Password when you generated the Keystore file. See Generate Keystore File, on page 1. h) (Optional) Check the Anonymize check box if you want to hide the user name. In the Salt field, enter the Salt string for the user name. i) In the Subscriber Name field, enter the name of the pxgrid subscriber. For example: dnac-assurance j) In the Configuration Name field, enter a unique name for the ISE configuration. k) Click Save Configuration. 5
DNA Center Assurance and Cisco ISE Integration 6