F Cisco ISE Integration with DNA Center: A Comprehensive Technical Guide - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / Cisco / Cisco DNAC / Cisco ISE / Cisco ISE Integration with DNA Center: A Comprehensive Technical Guide

Cisco ISE Integration with DNA Center: A Comprehensive Technical Guide

February 25, 2026 , ,

Cisco ISE Integration with DNA Center: A Comprehensive Technical Guide

Integrating Cisco Identity Services Engine (ISE) with Cisco DNA Center (DNAC) establishes a powerful foundation for enterprise network access control and policy management. This integration enables centralized authentication, authorization, and accounting (AAA) services while allowing DNA Center to orchestrate network policies based on user identity and device posture. The following guide provides detailed procedures for successfully implementing this integration in production environments.

Cisco ISE Integration with DNA Center

Introduction

Cisco ISE serves as the identity and access management platform for enterprise networks, providing robust authentication and policy enforcement capabilities. Cisco DNA Center functions as the network management and orchestration platform, enabling administrators to design, provision, and manage network infrastructure at scale. When integrated, these platforms create a unified system where network policies can be dynamically adjusted based on real-time identity and device information.

The integration leverages two critical communication mechanisms: the External RESTful Services (ERS) API for direct policy management and the pxGrid service for secure real-time information exchange. This document outlines the five essential steps required to establish this integration successfully.

Step 1: Enable pxGrid Service in Cisco ISE

The pxGrid (Platform Exchange Grid) service is the foundation for secure communication between ISE and external systems. This service must be explicitly enabled before DNA Center can establish a connection.

Procedure

  • Access the Cisco ISE administration interface by logging in with administrative credentials
  • Navigate to the **Administration** menu in the top navigation bar
  • Select **System** from the left sidebar menu
  • Click on **Deployment** to view the current ISE deployment configuration
  • Locate your ISE node in the deployment list and click on it to expand details
  • Verify that the **pxGrid** service is enabled (indicated by a toggle switch or checkbox)
  • If PXgrid is disabled, enable it and save the configuration

Cisco ISE

Key Considerations

pxGrid enables real-time session information exchange and context sharing. Ensure that network connectivity between ISE and DNA Center allows bidirectional communication on the pxGrid ports (typically TCP 8910 and 8909). Firewall rules should be configured to permit this traffic without restriction.

Step 2: Enable ERS Read/Write API in Cisco ISE

The External RESTful Services (ERS) API provides programmatic access to ISE resources and policies. DNA Center uses this API to query and manage ISE configurations, making it essential for the integration.

Procedure

1. Log in to Cisco ISE with administrative credentials

2. Navigate to **Administration** > **System** > **Settings**

3. Select **API Settings** from the left sidebar

4. Click on the **API Service Settings** tab

5. Locate the **ERS (Read/Write)** toggle switch and enable it

6. Locate the **Open API (Read/Write)** toggle switch and enable it

7. Review the CSRF (Cross-Site Request Forgery) settings:

  • For enhanced security with ISE 2.3 or later clients, enable **CSRF Check for Enhanced Security**
  • For compatibility with older ISE clients (pre-2.3), select **Disable CSRF for ERS Request**

8. Save the configuration by clicking the appropriate save or apply button

The API Settings screen showing both ERS and Open API options enabled:

ERS and Open API options

Important Notes

The ERS API requires authentication credentials. DNA Center will need to store ISE administrator credentials securely to authenticate API requests. Ensure that the ISE user account designated for API access has appropriate administrative privileges. Consider creating a dedicated service account with minimal required permissions for enhanced security.

Step 3: Add Cisco ISE as an Authentication and Policy Server in DNA Center

With ISE configured to accept external connections, DNA Center must be configured to recognize and trust ISE as an authentication and policy server. This establishes the bidirectional trust relationship required for policy synchronization.

Procedure

  • Log in to Cisco DNA Center with administrative credentials
  • Navigate to **System** > **System 360** from the main menu
  • Locate the **External Connector System** section
  • Find and click on **ISE Configure**
  • Click the **Configure** button to open the ISE configuration dialog
  • Select **Authentication and Policy Server** from the available options
  • Click **Add** to create a new ISE server entry
  • Select **ISE** as the server type

ISE Server Configuration Dialog

The configuration dialog requires the following information:

Cisco ISE


  • **Server IP Address**: The management IP address of the ISE server (e.g., 172.16.1.21)
  • **Shared Secret**: A pre-shared key used for secure communication between DNA Center and ISE. This value must match exactly on both systems
  • **Password**: The password for the ISE administrative account that DNA Center will use for API authentication
  • **FQDN (Fully Qualified Domain Name)**: Optional but recommended for DNS-based connectivity
  • **Virtual IP Address(es)**: If using ISE clustering or high availability, specify the virtual IP addresses

Configuration Submission

Once all required fields are populated, click the **Add** button to submit the configuration. DNA Center will immediately attempt to establish a connection with ISE.

Step 4: Successful Integration Confirmation

Upon successful submission of the ISE server configuration, DNA Center initiates a series of validation steps to establish trust and connectivity with ISE.

Integration Process

The integration process includes the following stages:

  • **Connection Initiation**: DNA Center establishes an initial connection to ISE and validates credentials
  • **Trust Establishment**: The systems exchange and validate SSL/TLS certificates for secure communication
  • **Node Discovery**: DNA Center discovers ISE primary, secondary, and pxGrid nodes
  • **pxGrid Connection**: DNA Center establishes a secure pxGrid connection for real-time information exchange

ISE DNAC integration

When the integration is successful, a confirmation dialog appears with the message "Integration of Cisco ISE server [IP Address] was successful." The dialog also displays the progression of connection establishment stages, each marked with a green checkmark indicating successful completion:

  • **Initiating connection**: Connecting to ISE and validating credentials
  • **Establishing trust**: Reading, validating, and storing trusted certificates
  • **Discovering nodes**: Discovering ISE primary and secondary admin nodes and pxGrid nodes
  • **Connecting to pxGrid**: Loading and validating pxGrid certificates, subscribing to pxGrid topics

Step 5: Approve pxGrid Connection in Cisco ISE

After DNA Center successfully initiates the connection, ISE receives a PXgrid client connection request from DNA Center. This request must be explicitly approved within ISE to complete the trust relationship.

Procedure
  • Log in to Cisco ISE with administrative credentials
  • Navigate to **Administration** from the main menu
  • Select **pxGrid Services** from the left sidebar
  • Click on **Client Management** to view pending and approved PXgrid clients
  • Locate the DNA Center client entry in the list (typically identified by hostname or IP address)
  • Click the **Approve** button to authorize the connection
  • Ensure the client status is set to **Enabled** (toggle switch should be in the ON position)
  • Save the configuration
Approve pxGrid Connection in Cisco ISE

Security Considerations

The PXgrid approval process is a critical security checkpoint. Only approve PXgrid connections from trusted DNA Center instances. Regularly audit the list of approved PXgrid clients and remove any entries that are no longer in use or that represent unauthorized systems.

Step 6: Verify Integration Status

The final step is to verify that the integration is fully operational and that all services are communicating correctly. This verification should be performed from both DNA Center and ISE perspectives.

Verification from DNA Center

  • Navigate to **System** > **System 360** > **External Connector System**
  • Locate the ISE entry in the **Externally Connected Systems** section
  • Verify that both the **Primary** and **PXgrid** services show an **Available** status
  • Check the timestamp to confirm recent communication

Verification from ISE

  • Log in to Cisco ISE
  • Navigate to **Administration** > **System** > **Deployment**
  • Click on the ISE node to view deployment details
  • Verify that PXgrid is enabled and operational
  • Check **Administration** > **PXgrid Services** > **Client Management** to confirm DNA Center client is approved and enabled

Verify


Health Checks

Perform the following health checks to ensure optimal integration:
  • **Connectivity**: Verify network connectivity between DNA Center and ISE on all required ports (TCP 443 for ERS API, TCP 8910/8909 for PXgrid)
  • **Certificate Validation**: Ensure SSL/TLS certificates are valid and not expired
  • **Credential Verification**: Confirm that ISE credentials stored in DNA Center are correct and the user account has appropriate permissions
  • **Log Review**: Check ISE system logs for any authentication or connection errors

Connection Failures

If DNA Center fails to connect to ISE, verify the following:
  • ISE server IP address is correct and reachable from DNA Center
  • Firewall rules permit traffic on required ports
  • ISE credentials are correct and the user account has administrative privileges
  • ISE system time is synchronized with DNA Center (time skew can cause certificate validation failures)

PXgrid Connection Issues

If PXgrid connection fails to establish:
  • Confirm that PXgrid is enabled in ISE Deployment settings
  • Verify that the DNA Center PXgrid client is approved in ISE Client Management
  • Check that both systems have valid SSL/TLS certificates
  • Review ISE system logs for PXgrid-related errors

API Communication Problems

If ERS API calls fail:
  • Verify that ERS Read/Write API is enabled in ISE API Settings
  • Confirm that the ISE user account has appropriate API permissions
  • Check network connectivity to ISE management IP address
  • Review ISE API logs for authentication or request format errors