Add/Modify Network Access Device Entry in ISE by Catalyst Center

Introduction

This document describes the procedure to reconfigure the Network Access Device (NAD) entry in ISE which is either modified or removed from ISE.

Background Information

There could be multiple scenarios where the NAD entry for a Network Device (which is managed by Catalyst Center) needs to be modified. For example:
a device is returned, the serial number changed, and a new serial number must be updated in NAD entry of that Network Device (Advanced TrustSec Settings).

Otherwise Device TrustSec authentication would not happen, resulting in failure to download PAC/env. data. 

There could be another scenario where the NAD entry is deleted from Identity Services Engine (ISE) (due to manual error some other cause). and now all the device authetication fails as there is no NAD entry in ISE. 

Problem

The problem in the aforementioned scenarios is that there is no pre-defined option in Catalyst Center to create the NAD entry directly once the Network Device is assigned the site and NAD entry is created first time, resulting in users having to configure/modify the NAD entry in ISE manually which can be time consuming and prone to error. 

This document describes the procedure/steps to reconfigure the NAD (Network Access Device) entry for any Network Device in ISE which is either modified or removed from ISE NAD. This procedure is applicable for any Network Device which is managed by Catalyst Center.

Solution

To have Catalyst Center configure the NAD entry in ISE, we basically need to change the management IP address of the device (to any dummy IP) which is backend triggers the NAD entry creation workflow.
This procedure is applicable for any Network Device which is managed by Catalyst Center. The NAD entry will be created with original IP (as the workflow triggers before the change in management IP address). In this example, Advanced TrustSec Settings for a NAD entry is disabled in ISE : 

NAD Entry ISE for a Network Device

Advanced TrustSec Settings is disabled for this NAD entry

As seen in this image, NAD entry for the device has Advanced TrustSec Settings disabled (generally when Catalyst Center creates the NAD entry, this seciton is enabled). Change the management IP address in Catalyst Center to dummy IP which triggers the workflow to re-configure the NAD entry in ISE. When you change the Management IP address it moves the device Managebility to Syncing state and ISE NAD entry must be modified. 

Changing the Management IP address for the Network Device in Catalyst Center to Dummy IP

Network Device goes into Syncing State

Network Device becomes Unreachable and UnManaged as Management Ip address is dummy IP and not reachable from Catalyst Center

ISE NAD entry for updated and "Advanced TrustSec Settings" is now enabled : 

Advanced TrustSec Settings got enabled after updating Management IP address from Catalyst Center

After this is created, we can change the management Ip address back to its original IP. 

Changing the Management Ip address back to its Original IP

After updating the management IP address to its original IP address, the device goes into "syncing" state and becomes "Managed". 

Here is another scenario where NAD entry got deleted : 

NAD Entry does not exists in ISE for the Network Device

As you see the same device NAD entry does not exist. We use the same procedure, that is, modify the management IP address in Catalyst Center to dummy IP). After using this procedure, NAD entry for the Network Device with its original IP address is created.