Configure System Settings

About System Settings

To start using Cisco DNA Center, you must first configure the system settings so that the server can communicate outside the network, ensure secure communications, authenticate users, and perform other key tasks. Use the procedures described in this chapter to configure the system settings.


Note

Any changes that you make to the Cisco DNA Center configuration—including changes to the proxy server settings—must be done from the Cisco DNA Center GUI, and the changes to the IP address, static route, DNS server, or maglev user password—must be done from the CLI with the sudo maglev-config update command.


Use the System 360

The System 360 tab provides at-a-glance information about Cisco DNA Center.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > System 360.

Step 2

On the System 360 dashboard, review the following displayed data metrics:

Cluster

  • Hosts: Displays information about the Cisco DNA Center hosts. The information that is displayed includes the IP address of the hosts and detailed data about the services running on the hosts. Click the View Services link to view detailed data about the services running on the hosts.

    Note 

    The host IP address has a color badge next to it. A green badge indicates that the host is healthy. A red badge indicates that the host is unhealthy.

    The side panel displays the following information:

    • Node Status: Displays the health status of the node.

      If the node health is unhealthy, hover over the status to view additional information for troubleshooting.

    • Services Status: Displays the health status of the services. Even if one service is down, the status is Unhealthy.

    • Name: Service name.

    • Appstack: App stack name.

      An app stack is a loosely coupled collection of services. A service in this environment is a horizontally scalable application that adds instances of itself when demand increases, and frees instances of itself when demand decreases.

    • Health: Status of the service.

    • Version: Version of the service.

    • Tools: Displays metrics and logs for the service. Click the Metrics link to view service monitoring data in Grafana. Grafana is an open-source metric analytics and visualization suite. You can troubleshoot issues by reviewing the service monitoring data. For information about Grafana, see https://grafana.com/. Click the Logs link to view service logs in Kibana. Kibana is an open-source analytics and visualization platform. You can troubleshoot issues by reviewing the service logs. For information about Kibana, see https://www.elastic.co/products/kibana.

  • High Availability: Displays whether HA is enabled and active.

    Important 

    Three or more hosts are required for HA to work in Cisco DNA Center.

  • Cluster Tools: Lets you access the following tools:

    • Service Explorer: Access the app stack and the associated services.

    • Monitoring: Access multiple dashboards of Cisco DNA Center components using Grafana, which is an open-source metric analytics and visualization suite. Use the Monitoring tool to review and analyze key Cisco DNA Center metrics, such as memory and CPU usage. For information about Grafana, see https://grafana.com/.

      Note 

      In a multihost Cisco DNA Center environment, expect duplication in the Grafana data due to the multiple hosts.

    • Log Explorer: Access detailed logs of Cisco DNA Center activity using Kibana, which is an open-source analytics and visualization platform designed to work with Elasticsearch. Use the Log Explorer tool to review detailed activity logs. For information about Kibana, see https://www.elastic.co/products/kibana.

    • Workflow: Access the Workflow Visualizer, which provides detailed graphical representations of Cisco DNA Center infrastructure tasks, including Success, Failure, and Pending status markings. Use the Workflow tool to determine the location of a failure in a Cisco DNA Center task.

System Management

  • Software Updates: Displays the status of application or system updates. Click the View link to view the update details.

    Note 

    An update has a color badge next to it. A green badge indicates that the update or actions related to the update succeeded. A yellow badge indicates that there is an available update.

  • Backups: Displays the status of the most recent backup. Click the View link to view all backup details.

    Additionally, it displays the status of the next scheduled backup (or indicates that no backup is scheduled).

    Note 

    A backup has a color badge next to it. A green badge indicates a successful backup with a timestamp. A yellow badge indicates that the next backup is not yet scheduled.

  • Application Health: Displays the health of Automation and Assurance.

    Note 

    Application health has a color badge next to it. A green badge indicates a healthy application. A red badge indicates that the application is unhealthy. Click the View link to troubleshoot.

Externally Connected Systems

Displays information about external network services used by Cisco DNA Center.

  • Identity Services Engine (ISE): Displays Cisco ISE configuration data, including the IP address and status of the primary and secondary Cisco ISE servers. Click the Configure link to configure Cisco DNA Center for integration with Cisco ISE.

  • IP Address Manager (IPAM): Displays IP address manager configuration data. Click the Configure link to configure the IP Address Manager.

  • vManage: Displays vManage configuration data. Click the Configure link to configure vManage.


View the Services in System 360

The System 360 tab provides detailed information about the app stacks and services running on Cisco DNA Center. You can use this information to assist in troubleshooting issues with specific applications or services. For example, if you are having issues with Assurance, you can view monitoring data and logs for the NDP app stack and its component services.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > System 360.

Step 2

On the System 360 tab, in the Cluster Tools area, click Service Explorer.

The node clusters and the associated services are displayed in a tree-like structure in a new browser window.
  • Hover over the node to view the node cluster health status. The healthy node clusters are marked in green. Unhealthy node clusters are marked in red.

  • The Services table shows all the services associated with the node. The managed services are marked as (M).

  • In the Service table, click the global filter icon to filter services by app stack name, service health status (Up, Down, or In Progress), or managed services.

  • Enter a service name in the Global Search field to find a service. Click the service name to view the service in its associated node.

Step 3

Click the service to launch the Service 360 view, which displays the following details:

  • Name: Service name.

  • Appstack: App stack name.

  • Version: Version of the service.

  • Health: Status of the service.

  • Metrics : Click the link to view the services monitoring data in Grafana.

  • Logs: Click the link to view the service logs in Kibana.

  • Required Healthy Instances: Shows the number of healthy instances and indicates whether the service is managed.

  • Instances: Click the instances to view details.

Step 4

Enter the service name in the Search field to search the services listed in the table.

Step 5

Click the filter icon in the services table to filter services based on app stack name, service status (Up, Down, or In Progress), or managed service.


Monitor System Health

From the System Health page, you can monitor the health of the physical components on your Cisco DNA Center appliances and keep tabs on any issues that may occur. Refer to the following topics, which describe how to enable this functionality and use it in your production environment.

Establish Cisco IMC Connectivity

To enable the System Health page, you need to establish connectivity with Cisco Integrated Management Controller (Cisco IMC), which collects health information for your appliances' hardware. Complete the following procedure to do so.


Note

Only users with SUPER-ADMIN-ROLE permissions can enter Cisco IMC connectivity settings for an appliance.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > System Configuration > System Health Notifications.

The IP address of each appliance in your cluster should be listed in the Cisco DNA Center Address column.

Step 2

Configure the information required to log in to Cisco IMC:

  1. Click the IP address for an appliance.

    The Edit Cisco DNA Center Server Configuration slide-in pane opens.

  2. Enter the following information and then click Save:

    • The IP address configured for the appliance's Cisco IMC port.

    • The username and password required to log in to Cisco IMC.

  3. Repeat Steps 2a and 2b for the other appliances in your cluster, if necessary.


Delete Cisco IMC Settings

To delete the Cisco IMC connectivity settings that have been configured previously for a particular appliance, complete the following procedure.


Note

Only users with SUPER-ADMIN-ROLE permissions can delete these settings.
Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > System Configuration > System Health Notifications.

Step 2

For the appliance whose settings you want to delete, click its Delete () icon in the Actions column.

A dialog box opens, prompting you to confirm the deletion of the settings.

Step 3

Click Ok.


Subscribe to System Notification Events

After you have established connectivity with Cisco IMC, Cisco DNA Center collects event information from Cisco IMC and stores this information as raw system events. These raw events are then processed by the rules engine and converted into system notification events. Complete the following procedure in order to instruct Cisco DNA Center to send these notification events to the subscribing endpoints that you specify.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Platform > Developer Toolkit > Events.

Step 2

In the Events table, check the check box for the following events and then click :

  • SYSTEM-EXTERNAL-CMX

  • SYSTEM-EXTERNAL-IPAM

  • SYSTEM-EXTERNAL-ISE-AAA-TRUST

  • SYSTEM-EXTERNAL-ISE-PAN-ERS

  • SYSTEM-EXTERNAL-ITSM

  • SYSTEM-HARDWARE

Note 

The quickest way to view these events is to sort the table's Event ID column in descending order. You can also click the Show More link at the bottom of the page until you see the events listed.

The Subscribe dialog box opens.

Step 3

In the Name field, enter a name for this event subscription.

Step 4

In the Subscription Type drop-down list, choose SNMP.

Step 5

Click the Create a new endpoint radio button, then enter the name and description of the endpoint that will receive notification events.

Step 6

In the Notification Trap Receiver area, configure the endpoint that will send SNMP traps to the System Health trap receiver by entering the following information:

  • The endpoint's IP address or hostname.

  • The port number that the endpoint will use to send SNMP traps.

Step 7

In the Community Configuration area, configure the SNMP community credentials that are required to establish a connection with the trap receiver.

  1. In the SNMP Version drop-down list, choose the SNMP version that you want to use.

  2. Do one of the following, depending on the SNMP version that you chose:

    • If you chose V2C, enter the appropriate community string.

    • If you chose V3, enter the following information:

      • Username: Enter the username required to establish an SNMP connection. This field is required.

      • Mode: Choose Authentication and Privacy (authPriv), Authentication, No Privacy (authNoPriv), or No Authentication, No Privacy (noAuthnoPriv). This field is required.

      • Authentication Type: Choose SHA or MD5 hashing for the password you will enter in the Authentication Password field.

      • Authentication Password: Enter and then confirm the authentication password.

      • Privacy Type: Choose AES128 or DES encryption for the privacy password you will enter in the Privacy Password field.

        Note 

        Although DES encryption is an available option, we recommend that you choose the AES128 encryption option because it is more secure.

      • Privacy Password: Enter and then confirm the privacy password.

Step 8

Click Subscribe.


View the System Topology

From the System Health page's topology, you can view a graphical representation of your Cisco DNA Center appliances and the external systems that are connected to your network, such as Cisco Connected Mobile Experiences (Cisco CMX) and Cisco Identity Services Engine (Cisco ISE). Here, you can quickly identify any network components that are experiencing an issue and require further attention. In order to populate this page with appliance and external system data, you must first complete the tasks described in the following topics:

To view this page, click the Menu icon () in the Cisco DNA Center GUI and choose System > System Health. Your topology will look similar to the following example:

Topology data is polled every 30 seconds. If any new data is received, the topology automatically updates to reflect this data.

Troubleshoot Appliance and External System Issues

When viewing the System Health topology, the minor issue icon () and major issue icon () indicate network components that require attention. To begin troubleshooting the issue that a component is experiencing, place your cursor over the component's topology icon to open a pop-up window that displays the following information:

  • A timestamp that indicates when the issue was detected.

  • If you are viewing the pop-up window for a Cisco DNA Center appliance, the Cisco IMC firmware version that is installed on the appliance.

  • A brief summary of the issue.

  • The current state or severity of the issue.

  • The domain, subdomain, and IP address or location associated with the issue.

If you open the pop-up window for a connected external system that has three or more associated servers or a Cisco DNA Center appliance that has three or more hardware components that are experiencing an issue, the More Details link is displayed. Click the link to open a slide-in pane that lists the relevant servers or components. You can then view information for a specific item by clicking > to maximize its entry.

System Topology Notifications

The following tables list the various notifications that are displayed in the System Health page's system topology for your Cisco DNA Center appliances and any connected external systems. Notifications are grouped by their corresponding severity:

  • Severity 1 (Error): Indicates a critical error, such as a disabled RAID controller or faulty power supply.

  • Severity 2 (Warning): Indicates an issue such as the inability to establish trust with a Cisco ISE server.

  • Severity 3: (Success): Indicates that a server or hardware component is operating as expected.


    Note

    If all of the hardware components on an appliance are operating without any issues, an individual notification is not provided for each component. The following notification is displayed instead: Cisco DNA Center Ok.


Table 1. Cisco DNA Center Appliance Notifications
Component Severity 1 Notification Severity 2 Notification Severity 3 Notification

CPU

Processor CPU1 (SerialNumber - xxxxxx) State is Disabled

Processor CPU1 (SerialNumber - xxxxxx) Health is NotOk and State is Enabled

Processor CPU1 (SerialNumber - xxxxxx) Health is Ok and State is Enabled

Disk

Driver - PD1 State is Disabled

Driver - PD1 Health is Critical and State is Enabled

Driver - PD1 Health is Ok and State is Enabled

MemoryV1

Memory Summary (TOTALSYSTEMMEMORYGIB - 256) Health is NotOk

Memory Summary (TOTALSYSTEMMEMORYGIB - 256) Health is Ok

MemoryV2

Storage DIMM1 (SerialNumber - xxxxx) Status is NotOperable

Storage DIMM1 (SerialNumber - xxxxx) Status is Operable

NIC

NIC Adapter Card MLOM State is Disabled

NIC Adapter Card MLOM State is Enabled and port0 is Down

NIC Adapter Card MLOM State is Enabled and port0 is Up

Power supply

PowerSupply PSU1 (SerialNumber - xxxx) State is Disabled

PowerSupply PSU1 (SerialNumber - xxxx) State is Enabled

RAID

Cisco 12G SAS Modular Raid Controller (SerialNumber - xxxxx) State is Disabled

Cisco 12G SAS Modular Raid Controller (SerialNumber - xxxxx) Health is NotOK and State is Enabled

Cisco 12G SAS Modular Raid Controller (SerialNumber - xxxxx) Health is OK and State is Enabled

Table 2. Connected External System Notifications
Component Severity 1 Notification Severity 2 Notification Severity 3 Notification

Cisco Connected Mobile Experiences (CMX) server

There is a critical issue with the integrated CMX server.

CMX server is integrated and servicing.

IP address management (IPAM) server

There is a critical issue with the connected third-party IPAM provider

There is no third-party IPAM provider connected

A third-party IPAM provider is connected.

Cisco ISE—External RESTful Services (ERS)

ISE PAN ERS connection: ISE ERS API call unauthorized

ISE PAN ERS connection: ERS reachability with ISE - Success

Cisco ISE—Trust

ISE AAA Trust Establishment: Trust Establishment Error

ISE AAA Trust Establishment: Successfully established trust and discovered PSNs from PAN

IT service management (ITSM) server

Servicenow connection health status is NOT up and running

Servicenow connection health status is up and running

Suggested Actions

The following table lists the issues that you will most likely encounter while monitoring the health of your system and suggests actions you can take to remedy those issues.

Component

Subcomponent

Issue

Suggested Actions

Cisco ISE

External RESTful Services (ERS)—Reachability

Timeout elapsed (possibly because the Cisco ISE ERS API load threshold has been exceeded).

  • Check your proxy configuration for a proxy server between Cisco DNA Center and Cisco ISE.

  • Check whether you can reach Cisco ISE from Cisco DNA Center.

Unable to establish a connection with Cisco ISE.

  • Check whether a firewall is configured.

  • Check your proxy configuration for a proxy server between Cisco DNA Center and Cisco ISE.

  • Check whether you can reach Cisco ISE from Cisco DNA Center.

ERS—Availability

No response to ERS API call.

ERS—Authentication

Cisco ISE ERS API call is unauthorized.

Check whether the AAA settings credentials and the Cisco ISE credentials are the same.

ERS—Configuration

Cisco ISE certificate has been changed.

From the Cisco DNA Center GUI, reestablish trust. See the "Enable PKI in Cisco ISE" topic in the Cisco Identity Services Engine Administrator Guide for more information.

ERS—Unclassified/Generic Error

An undefined diagnostic error occurred.

  1. Delete the AAA settings that are currently configured in Cisco DNA Center.

  2. Reenter the appropriate AAA settings. See the "Integrate Cisco ISE with Cisco DNA Center" in the Cisco Digital Network Architecture Center Second Generation Appliance Installation Guide for more information.

  3. Reestablish trust. See the "Enable PKI in Cisco ISE" topic in the Cisco Identity Services Engine Administrator Guide for more information.

Trust—Reachability

Unable to establish an SSH connection.

Check whether the AAA settings credentials and the Cisco ISE credentials are the same.

The Cisco DNA Center endpoint URL configured for Cisco ISE certificate chain uploads is unreachable.

  • Check your proxy configuration for a proxy server between Cisco DNA Center and Cisco ISE.

  • Check whether you can reach Cisco ISE from Cisco DNA Center.

Trust—Configuration

Invalid Cisco ISE certificate chain.

  • If necessary, regenerate the Cisco ISE internal root CA chain. See the "ISE CA Chain Regeneration" topic in the Cisco Identity Services Engine Administrator Guide for more information.

  • Ensure that the internal CA certificate chain has not been removed from Cisco ISE.

The Cisco DNA Center endpoint URL configured for Cisco ISE certificate chain uploads is forbidden.

  • Launch the URL and check whether you can access the /aaa/Cisco ISE/certificate directory on the endpoint.

  • Check whether the Use CSRF Check for Enhanced Security option is enabled in Cisco ISE. See the "Enable External RESTful Services APIs" topic in the Cisco Identity Services Engine Administrator Guide for more information.

Trust—Authentication

The Cisco ISE password has expired.

  • Regenerate the Cisco ISE admin password. See the "Administrative Access to Cisco ISE" topic in the Cisco Identity Services Engine Administrator Guide for more information.

  • Ensure that the GUI and SSH credentials configured for the admin user in Cisco ISE are the same.

Trust—Unclassified/Generic Error

An undefined diagnostic error occurred.

  1. Delete the AAA settings that are currently configured in Cisco DNA Center.

  2. Reenter the appropriate AAA settings. See the "Integrate Cisco ISE with Cisco DNA Center" in the Cisco Digital Network Architecture Center Second Generation Appliance Installation Guide for more information.

  3. Reestablish trust. See the "Enable PKI in Cisco ISE" topic in the Cisco Identity Services Engine Administrator Guide for more information.

Cisco Connected Mobile Experiences (CMX) server

IP address management (IPAM) server

IT service management (ITSM) server

Reachability

Unable to establish connectivity with the server.

Check whether the server in question is currently down.

Authentication

Unable to log in to the server.

Confirm that the correct login credentials are configured in Cisco DNA Center.

Hardware

Disk

The specified hardware component is experiencing an issue.

Replace the faulty component.

Fan

Power supply

Memory module

CPU

Networking card

RAID controller

System resources

Storage

The specified mount directory is full.

  • Clear up storage space in the current directory by removing unnecessary data.

  • Specify a new mount directory that has more storage space.

Cisco DNA Center and Cisco ISE Integration

Cisco ISE has three use cases with Cisco DNA Center:

  1. Cisco ISE can be used as a AAA (pronounced "triple A") server for user, device, and client authentication. If you are not using access control policies, or are not using Cisco ISE as a AAA server for device authentication, you do not have to install and configure Cisco ISE.

  2. Access control policies use Cisco ISE to enforce access control. Before you create and use access control policies, integrate Cisco DNA Center and Cisco ISE. The process involves installing and configuring Cisco ISE with specific services, and configuring Cisco ISE settings in Cisco DNA Center. For more information about installing and configuring Cisco ISE with Cisco DNA Center, see the Cisco DNA Center Installation Guide.

  3. If your network uses Cisco ISE for user authentication, configure Assurance for Cisco ISE integration. This integration lets you see more information about wired clients, such as the username and operating system, in Assurance. For more information, see "About Cisco ISE Configuration for Cisco DNA Center" in the Cisco DNA Assurance User Guide.

After Cisco ISE is successfully registered and its trust established with Cisco DNA Center, Cisco DNA Center shares information with Cisco ISE. Cisco DNA Center devices that are assigned to a site that is configured with Cisco ISE as its AAA server have their inventory data propagated to Cisco ISE. Additionally, any updates on these Cisco DNA Center devices (for example, device credentials) in Cisco DNA Center also updates Cisco ISE with the changes.

If a Cisco DNA Center device associated to a site with Cisco ISE as its AAA server is not propagated to Cisco ISE as expected, Cisco DNA Center automatically retries after waiting for a specific time interval. This subsequent attempt occurs when the initial Cisco DNA Center device push to Cisco ISE fails due to any networking issue, Cisco ISE downtime, or any other auto correctable errors. Cisco DNA Center attempts to establish eventual consistency with Cisco ISE by retrying to add the device or update its data to Cisco ISE. However, a retry is not attempted if the failure to propagate the device or device data to Cisco ISE is due to a rejection from Cisco ISE itself, as a input validation error.

If you change the RADIUS shared secret for Cisco ISE, Cisco ISE does not update Cisco DNA Center with the changes. To update the shared secret in Cisco DNA Center to match Cisco ISE, edit the AAA server with the new password. Cisco DNA Center downloads the new certificate from Cisco ISE, and updates Cisco DNA Center.

Cisco ISE does not share existing device information with Cisco DNA Center. The only way for Cisco DNA Center to know about the devices in Cisco ISE is if the devices have the same name in Cisco DNA Center; Cisco DNA Center and Cisco ISE uniquely identify devices for this integration through the device's hostname variable.


Note

The process that propagates Cisco DNA Center inventory devices to Cisco ISE and updates the changes to it are all captured in the Cisco DNA Center audit logs. If there are any issues in the Cisco DNA Center-to-Cisco ISE workflow, view the audit logs in the Cisco DNA Center GUI for information.


Cisco DNA Center integrates with the primary Administration ISE node. When you access Cisco ISE from Cisco DNA Center, you connect with this node.

Cisco DNA Center polls Cisco ISE every 15 minutes. If the Cisco ISE server is down, (In the Cisco DNA Center GUI, click the Menu icon () and choose > System > System 360) shows the Cisco ISE server as red (unreachable).

When the Cisco ISE server is unreachable, Cisco DNA Center increases polling to 15 seconds, and then doubles the polling time to 30 seconds, 1 minute, 2 minutes, 4 minutes, and so on, until it reaches the maximum polling time of 15 minutes. Cisco DNA Center continues to poll every 15 minutes for 3 days. If Cisco DNA Center does not regain connectivity, it stops polling and updates the Cisco ISE server status to Untrusted. If this happens, you will need to reestablish trust between Cisco DNA Center and the Cisco ISE server.

Review the following additional requirements and recommendations to verify Cisco DNA Center and Cisco ISE integration:

  • Cisco DNA Center and Cisco ISE integration is not supported over a proxy server. If you have Cisco ISE configured with a proxy server in your network, configure Cisco DNA Center such that it does not use the proxy server; it can do this by bypassing the proxy server's IP address.

  • Cisco DNA Center and Cisco ISE integration is not currently supported through a Cisco DNA Center virtual IP address (VIP). If you are using an enterprise CA-issued certificate for Cisco DNA Center, make sure the Cisco DNA Center certificate includes the IP addresses of all interfaces on Cisco DNA Center in the Subject Alternative Name (SAN) extension. If Cisco DNA Center is a three-node cluster, the IP addresses of all interfaces from all three nodes must be included in the SAN extension of the Cisco DNA Center certificate.

  • Cisco DNA Center needs access to both the Cisco ISE CLI (through an Ethernet routing switch) and GUI (through an SSH connection). Because you can define only one set of Cisco ISE credentials in Cisco DNA Center, make sure these credentials are the same for both the Cisco ISE GUI and CLI user accounts.

  • Disable password expiry for the Admin user in Cisco ISE. Alternatively, make sure that you update the password before it expires. For more information, see the Cisco Identity Services Engine Administrator Guide.

  • When the Cisco ISE certificate changes (password, expiration, etc.), Cisco DNA Center must be updated. To do that, edit the AAA Server (Cisco ISE), reenter the password, and save. This forces Cisco DNA Center to download the certificate chain for the new admin certificate from Cisco ISE, and update Cisco DNA Center. If you are using Cisco ISE in High Availability mode, and the admin certificate changes on either the primary or secondary administrative node, you must update Cisco DNA Center. Cisco DNA Center connects to Cisco ISE via SSH and runs CLI to get the certificate info.

  • Cisco DNA Center configures certificates for itself and for Cisco ISE to connect over pxGrid. You can use other certificates with pxGrid for connections to other pxGrid clients, such as Firepower. These other connections will not interfere with the Cisco DNA Center and Cisco ISE pxGrid connection.

  • To change the RADIUS Secret Password: You provided the secret password when you configured Cisco ISE as an AAA Server on the System > Settings > External Services > Authentication and Policy Servers page. To change the secret password, navigate to Design > Network Settings > Network, and click the Change Shared Secret link. This causes Cisco ISE to use the new secret password when connecting to network devices managed by Cisco DNA Center.

Anonymize Data

Cisco DNA Center allows you to anonymize wired and wireless endpoints data. You can scramble personally identifiable data, such as the user ID and device hostname of wired and wireless endpoints.

Make sure that you enable anonymization before you run Discovery. If you anonymize the data after you run Discovery, the new data coming into the system is anonymized, but the existing data is not anonymized.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > Anonymize Data.

The Anonymize Data window is displayed.
Step 2

Check the Enable Anonymization check box.

Step 3

Click Save.

After you enable anonymization, you can only search for the device using nonanonymized information such as the MAC address, IP address, so on.

Configure Authentication and Policy Servers

Cisco DNA Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.

Before you begin

  • If you are using Cisco ISE to perform both policy and AAA functions, make sure that Cisco DNA Center and Cisco ISE are integrated, as described in the Cisco DNA Center Installation Guide.

  • If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do the following:

    • Register Cisco DNA Center with the AAA server, including defining the shared secret on both the AAA server and Cisco DNA Center.

    • Define an attribute name for Cisco DNA Center on the AAA server.

    • For a Cisco DNA Center multihost cluster configuration, define all individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.

  • Before you configure Cisco ISE, confirm that:

    1. You deployed Cisco ISE version 2.3 or later in your network. If you have a multihost Cisco ISE deployment, integrate with the Cisco ISE admin node.

    2. SSH is enabled on the Cisco ISE node.

    3. The pxGrid service is enabled on the Cisco ISE host with which you plan to integrate Cisco DNA Center, and the ERS service is enabled for read/write operations.


      Note

      Cisco ISE versions 2.4 and later supports pxGrid 2.0 and pxGrid 1.0. Although pxGrid 2.0 allows up to four pxGrid nodes in the Cisco ISE deployment, Cisco DNA Center does not currently support more than two pxGrid nodes.


    4. The Cisco ISE GUI and Cisco ISE shell username and passwords are the same.

    5. There is no proxy configured between Cisco DNA Center and Cisco ISE. If a proxy server is configured on Cisco ISE, the Cisco DNA Center IP address must bypass that proxy server.

    6. There is no firewall between Cisco DNA Center and Cisco ISE. If there is a firewall, open the communication between Cisco DNA Center and Cisco ISE.

    7. A ping between Cisco DNA Center and Cisco ISE succeeds with both the IP address and hostname.

    8. The Cisco ISE admin node certificate contains the Cisco ISE IP address or FQDN in either the certificate subject name or the SAN.

    9. If a third-party certificate is used, the certificate includes all IP addresses in the SAN field.

    10. The pxGrid approval is set for automatic or manual approval in Cisco ISE to enable the pxGrid connection in Cisco DNA Center.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > External Services > Authentication and Policy Servers.

Step 2

Click .

Step 3

Configure the primary AAA server by providing the following information:

  • Server IP Address: IP address of the AAA server.

  • Shared Secret: Key for device authentications. The shared secret can be up to 128 characters in length.

Step 4

To configure a AAA server (not Cisco ISE), leave the Cisco ISE Server toggle to Off and proceed to the next step.

To configure a Cisco ISE server, set the Cisco ISE server toggle to On and enter information in the following fields:

  • Username: Name that is used to log into the Cisco ISE CLI.

    Note 

    This user must be a Super Admin.

  • Password: Password for the Cisco ISE CLI username.

  • FQDN: Fully qualified domain name (FQDN) of the Cisco ISE server.

    Note 
    • We recommend that you copy the FQDN that is defined in Cisco ISE (Administration > Deployment > Deployment Nodes > List) and paste it directly into this field.

    • The FQDN that you enter must match the FQDN, Common Name (CN), or Subject Alternative Name (SAN) defined in the Cisco ISE certificate.

    The FQDN consists of two parts, a hostname and the domain name, in the following format:

    hostname.domainname.com

    Example: The FQDN for a Cisco ISE server can be ise.cisco.com.

  • SSH Key:

    The SSH key is a Diffie-Hellman crypto key in base64 encoded format. This key provides security for SSH connections to the Cisco ISE Administration console. You can retrieve the key with the Cisco ISE CLI command show crypto authorized_keys and show crypto host_keys.

    Cisco ISE.

  • Virtual IP Address(es): Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses.

Note 

After the required information is provided, Cisco ISE is integrated with Cisco DNA Center in two phases. It takes few minutes for the integration to complete. The phase-wise integration status is shown in the Authentication and Policy Servers page and System 360 page as follows:

Cisco ISE server registration phase:

  • Authentication and Policy Servers page: "In Progress"

  • System 360 page: "Primary Available"

pxGrid subscriptions registration phase:

  • Authentication and Policy Servers page: "Active"

  • System 360 page: "Primary Available" and "PXGRID Available"

If the status of the configured ISE server is "FAILED" due to password change, click Retry, and update the password to re-sync the ISE connectivity.

Step 5

Click View Advanced Settings and configure the settings:

  • Protocol: TACACS and RADIUS. RADIUS is the default. You can select both protocols.

    Attention 

    If you do not enable TACAS for a Cisco ISE server here, you cannot configure the Cisco ISE server as a TACACS server under Design > Network Settings > Network when configuring a AAA server for network device authentication.

  • Authentication Port: Port used to relay authentication messages to the AAA server. The default is UDP port 1812.

  • Accounting Port: Port used to relay important events to the AAA server. The information in these events is used for security and billing purposes. The default UDP port is 1813.

  • Port: Port used by TACAS. The default port is 49.

  • Retries: Number of times that Cisco DNA Center attempts to connect with the AAA server before abandoning the attempt to connect. The default number of attempts is 3.

  • Timeout: Length of time the device waits for the AAA server to respond before abandoning the attempt to connect. The default timeout is 4 seconds.

Step 6

Click Add.

Step 7

To add a secondary server, repeat Step 2 through Step 6.


Configure Cisco AI Network Analytics Data Collection

Use this procedure to enable Cisco AI Network Analytics to export network event data from wireless controllers as well as the site hierarchy to the Cisco DNA Center.

Before you begin

  • Make sure that you have the Cisco DNA Advantage software license for Cisco DNA Center. The AI Network Analytics application is part of the Cisco DNA Advantage software license.

  • Make sure that you have downloaded and installed the AI Network Analytics application. See Download and Install Packages and Updates.

  • Make sure that your network or HTTP proxy is configured to allow outbound HTTPS (TCP 443) access to the following cloud hosts:

    • api.use1.prd.kairos.ciscolabs.com (US East Region)

    • api.euc1.prd.kairos.ciscolabs.com (EU Central Region)

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings.

Step 2

Scroll down to System Configuration and choose AI Network Analytics.

The AI Network Analytics window appears.
Figure 1. AI Network Analytics Window
Step 3

Do one of the following:

  • If you have an earlier version of Cisco AI Network Analytics installed in your appliance, do the following:
    1. Click Recover from a config file.

      The Restore AI Network Analytics window appears.

    2. Drag-and-drop the configuration files in the area provided or choose the files from your file system.

    3. Click Restore.

      Cisco AI Network Analytics might take a few minutes to restore, and then the Success dialog box appears.

  • If this is the first time you are configuring Cisco AI Network Analytics, do the following:
    1. Click Configure.

    2. In the Where should we securely store your data? area, choose the location to store your data. Options are: Europe (Germany) or US East (North Virginia).

      The system starts testing cloud connectivity as indicated by the Testing cloud connectivity... tab. After cloud connectivity testing completes, the Testing cloud connectivity... tab changes to Cloud connection verified.

    3. Click Next.

      The terms and conditions window appears.

    4. Click the Accept Cisco Universal Cloud Agreement check box to agree to the terms and conditions, and then click Enable.

      Cisco AI Network Analytics might take a few minutes to enable, and then the Success dialog box appears.
      Figure 2. Success Dialog Box
Step 4

In the Success dialog box, click Okay.

The AI Network Analytics window appears, and the Cloud Connection area displays .
Step 5

(Recommended) In the AI Network Analytics window, click Download Configuration file.


Disable Cisco AI Network Analytics Data Collection

To disable the Cisco AI Network Analytics data collection, you must turn off (disable) the connection to the Cisco AI Network Analytics cloud service. This will disable all of the Cisco AI Network Analytics related features, such as AI-Driven Issues, Network Heatmap, Site Comparison, and Peer Comparison.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings.

Step 2

Scroll down to System Configuration and choose AI Network Analytics.

The AI Network Analytics window appears.
Step 3

In the Cloud Connection area, click the button to off, such that appears.

Figure 3. AI Network Analytics Window with Data Collection Disabled
Step 4

Click Update.

Step 5

To delete your network data from the Cisco AI Network Analytics cloud, contact the Cisco Technical Response Center (TAC) and open a support request.

Step 6

(Optional) If you have misplaced your previous configuration, click Download configuration file.


Update the Machine Reasoning Knowledge Base

Machine Reasoning knowledge packs are step-by-step workflows that are used by the Machine Reasoning Engine (MRE) to identify security issues and improve automated root cause analysis. These knowledge packs are continuously updated as more information is received. The Machine Reasoning Knowledge Base is a repository of these knowledge packs (workflows). To have access to the latest knowledge packs, you can either configure Cisco DNA Center to automatically update the Machine Reasoning Knowledge Base on a daily basis, or you can perform a manual update.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings.

Step 2

Scroll down to External Services and choose Machine Reasoning Knowledge Base.

The Machine Reasoning Knowledge Base window shows the following information:
  • INSTALLED: Shows the installed version and installation date of the Machine Reasoning Knowledge Base package.

When there is a new update to the Machine Reasoning Knowledge Base, the AVAILABLE UPDATE area appears in the Machine Reasoning Knowledge Base window, which provides the Version and Details about the update.

  • AUTO UPDATE: Automatically updates the Machine Reasoning Knowledge Base in Cisco DNA Center on a daily basis.

Step 3

(Recommended) Check the AUTO UPDATE check box to automatically update the Machine Reasoning Knowledge Base.

The Next Attempt area shows the date and time of the next update.

You can perform an automatic update only if Cisco DNA Center is successfully connected to the Machine Reasoning Engine in the cloud.

Step 4

To manually update the Machine Reasoning Knowledge Base in Cisco DNA Center, do one of the following:

  • Under AVAILABLE UPDATES, click Update. A Success pop-up window appears with the status of the update.
  • Manually download the Machine Reason Knowledge Base to your local machine and import it to Cisco DNA Center. Do the following:
    1. Click Download.

      The Opening mre_workflow_signed dialog box appears.

    2. Open or save the downloaded file to the desired location in your local machine, and then click OK.

    3. Click Import to import the downloaded Machine Reasoning Knowledge Base from your local machine to Cisco DNA Center.


Cisco Accounts

Configure Cisco Credentials

You can configure Cisco credentials for Cisco DNA Center. Cisco credentials are the username and password that you use to log in to the Cisco website to access software and services.


Note

The Cisco credentials configured for Cisco DNA Center using this procedure are used for software image and update downloads. The Cisco credentials are also encrypted by this process for security purposes.


Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Cisco Accounts > Cisco.com Credentials.

Step 2

Enter your Cisco username and password.

Step 3

Click Save.

Your cisco.com credentials is configured to the software and services.


Clear Cisco Credentials

To delete the cisco.com credentials that are currently configured for Cisco DNA Center, complete the following procedure.


Note

  • When you perform any tasks that involve software downloads or device provisioning and cisco.com credentials are not configured, you will be prompted to enter them before you can proceed. In the resulting dialog box, check the Save For Later check box in order to save these credentials for use throughout Cisco DNA Center. Otherwise, you will need to enter credentials each time you perform these tasks.

  • Completing this procedure will undo your acceptance of the end-user license agreement (EULA). See Accept the License Agreement for a description of how to reenter EULA acceptance.


Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Cisco Accounts > Cisco.com Credentials.

Step 2

Click Clear.

Step 3

In the resulting dialog box, click Continue to confirm the operation.


Configure Connection Mode

The Connection mode manages the connections between smart-enabled devices in your network that interact with Cisco DNA Center and the CSSM. Ensure that you have SUPER-ADMIN access permission to configure the different connection modes.

Before you begin

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Cisco Accounts > Connection Mode.

Step 2

You can choose either of the following connection modes:

  • Direct

  • On-Prem CSSM

  • Smart Proxy

Step 3

Choose Direct to enable direct connection to the Cisco SSM cloud.

Step 4

If your organization is security sensitive, choose On-Prem CSSM. The on-prem option lets you access a subset of Cisco SSM functionality without using a direct internet connection to manage your licenses with the Cisco SSM cloud.

  1. Enter the details of On-Prem CSSM Host, Smart Account Name, Client Id, and Client Secret.

  2. Click Test Connection to validate the CSSM connection.

  3. Click Save and then Confirm. If there are any smart-enabled devices in your network which are already registered with CSSM, then those devices would be de-registered from CSSM.

Note 
To enable On-Prem CSSM, make sure that the satellite is deployed, up, and running in your network site.
Step 5

Smart Proxy allows you to register your smart enabled devices with Cisco SSM cloud through DNA Center. With this mode, devices need not have direct connection to Cisco SSM Cloud. DNA Center will proxy the requests from device to Cisco SSM cloud through itself.


Register Plug and Play

You can register Cisco DNA Center as a controller for Cisco Plug and Play (PnP) Connect, in a Cisco Smart Account for redirection services. This lets you synchronize the device inventory from the Cisco PnP Connect cloud portal to PnP in Cisco DNA Center.

Before you begin

Only a user with SUPER-ADMIN-ROLE or CUSTOM-ROLE with system management permissions can perform this procedure.

In the Smart account, users are assigned roles that specify the functions and authorized to perform:

  • Smart Account Admin user can access all the Virtual Accounts.

  • Users can access assigned Virtual Accounts only.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Cisco Accounts > PnP Connect.

A table of PnP connected profiles is displayed.
Step 2

Click Register to register a virtual account.

Step 3

In the Register Virtual Account window, the Smart Account you configured is displayed in the Select Smart Account drop-down list. You can select account from the Select Virtual Account drop-down list.

Step 4

Click the required Controller radio button.

Step 5

Enter the IP address or FQDN (Fully Qualified Domain Name).

Step 6

Enter the profile name. A profile is created for the selected virtual account with the configuration you provided.

Step 7

Click Save.


Configure Smart Account

Cisco Smart Account credentials are used for connecting to your Smart Licensing account. The License Manager tool uses the details of license information from this Smart Account for entitlement and license management.

Before you begin

Ensure that you have SUPER-ADMIN-ROLE permissions

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Cisco Accounts > Smart Account.

Step 2

Click the Add button. You are prompted to provide Smart Account credentials.

  1. Enter your Smart Account username and password.

  2. Click Save. Your Smart Account is configured.

Step 3

If you want to change the selected Smart Account Name, click Change. You will be prompted to Select the Smart Account that will be used for connecting to your Smart Licensing Account on Cisco SSM cloud.

  1. Choose the Smart Account from the drop-down list.

  2. Click Save.

Step 4

Click View all virtual accounts to view all the virtual accounts associated with the Smart Account.

Note 

Cisco Accounts supports multiple smart and virtual accounts.

Step 5

(Optional) If you want to register smart license-enabled devices automatically to a virtual account, check the Auto register smart license enabled devices check box. A list of virtual accounts associated with the smart account is displayed.

Step 6

Select the required virtual account. Whenever a smart license-enabled device is added in the inventory, it will be automatically registered to the selected virtual account.


Smart Licensing

Smart Licensing is a cloud-based, software license management solution that allows you to manage and track the status of your license and software usage. To enable smart licensing, you need to upload Cisco DNA Center license conventions in CSSM.

Before you begin

You should have configured Cisco Credentials to enable Smart Licensing. See Configure Cisco Credentials.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Cisco Accounts > Smart License Enablement.

By default, Smart User and Smart Domain details are displayed.

Step 2

Select a virtual account from the Search Virtual Account drop-down list to register.

Step 3

Click Register.

Step 4

After successful registration, click the View Available Licenses link to view the available Cisco DNA Center licenses.


Device Controllability

Device Controllability is a system-level process on Cisco DNA Center that enforces state synchronization for some device-layer features. Its purpose is to aid in the deployment of network settings that Cisco DNA Center needs to manage devices. Changes are made on network devices when running Discovery, when adding a device to Inventory, or when assigning a device to a site.

To view the configuration that are pushed to the device, go to Provision > Inventory and choose Provision from the Focus drop-down list. Click See Details in the Provision Status column.


Note

When Cisco DNA Center configures or updates devices, the transactions are captured in the Cisco DNA Center audit logs. You can use the audit logs to track changes and troubleshoot issues. For more information about the Cisco DNA Center audit logs, see View Audit Logs.


The following device settings will be enabled as part of device controllability:

  • Device Discovery

    • SNMP Credentials

    • NETCONF Credentials

  • Adding Devices to Inventory

    • Cisco TrustSec (CTS) Credentials


      Note

      Cisco TrustSec (CTS) Credentials are pushed during inventory only if Global site is configured with Cisco ISE as AAA. Otherwise it is pushed to devices during "Assign to Site" when the site is configured with Cisco ISE as AAA.


    • IPDT Enablement

  • Assigning Devices to a Site

    • Controller Certificates

    • SNMP Trap Server Definitions

    • Syslog Server Definitions

    • NetFlow Server Definitions

    • Wireless Service Assurance (WSA)

Device Controllability is enabled by default. If you do not want Device Controllability enabled, disable it manually. For more information, see Configure Device Controllability.

When Device Controllability is disabled, Cisco DNA Center does not configure any of the credentials or features listed above on devices while running Discovery or when the devices are assigned to a site. However, the telemetry settings and related configuration are pushed when the device is provisioned or when Update Telemetry Settings action is performed from Provision > Inventory > Actions. At the time of the network settings creation on the site, if Device Controllability is enabled, the associated devices are configured accordingly.

The following circumstances dictate whether or not Device Controllability configures network settings on devices:

  • Device Discovery: If SNMP and NETCONF credentials are not already present on a device, these settings are configured during the Discovery process.

  • Device in Inventory: After a successful initial inventory collection, IPDT is configured on the devices.

  • Device in Global Site: When you successfully add, import, or discover a device, Cisco DNA Center places the device in the Managed state and assigns it to the Global site by default. Even if you have defined SNMP server, Syslog server, and NetFlow collector settings for the Global site, Cisco DNA Center does not change these settings on the device.

  • Device Moved to Site: If you move a device from the Global site to a new site that has SNMP server, Syslog server, and NetFlow collector settings configured, Cisco DNA Center changes these settings on the device to the settings configured for the new site.

  • Device Removed from Site: If you remove a device from a site, Cisco DNA Center does not remove the SNMP server, Syslog server, and NetFlow collector settings from the device.

  • Device Deleted from Cisco DNA Center: If you delete a device from the Cisco DNA Center, then the SNMP server, Syslog server and NetFlow collector settings are removed from the device, only if you check the Configuration Clean-up check box.

  • Device Moved from Site to Site: If you move a device—for example, from Site A to Site B—Cisco DNA Center replaces the SNMP server, Syslog server, and NetFlow collector settings on the device with the settings assigned to Site B.

  • Update Site Telemetry Changes: The changes made to any settings that are under the scope of Device Controllability, are applied to the network devices during device provisioning or when Update Telemetry Settings action is performed, even if device controllability is not enabled.

Configure Device Controllability

Device controllability aids deployment of the required network settings that Cisco DNA Center needs to manage devices.

Device Controllability is enabled by default. To manually disable device controllability, do the following:


Note

If you disable device controllability none of the credentials or features described in the Device Controllability page will be configured on the devices during discovery or at runtime.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Device Settings > Device Controllability.

Step 2

Uncheck the Enable Device Controllability check box.

Step 3

Click Save.


Accept the License Agreement

You must accept the end-user license agreement (EULA) before downloading software or provisioning a device.


Note

If you have not yet configured cisco.com credentials, you are prompted to configure them in the Device EULA Acceptance window before proceeding.


Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Device Settings > Device EULA Acceptance.

Step 2

Click the Cisco End User License Agreement link and read the EULA.

Step 3

Check the I have read and accept the Device EULA check box.

Step 4

Click Save.


Cloud Access Keys

You can register cloud access keys after installing the Cloud Device Provisioning Application package in Cisco DNA Center. The system supports multiple cloud access keys. Each key is used as a separate cloud profile that contains all the AWS infrastructure constructs or resources that are discovered by using that cloud access key. After a cloud access key is added, AWS VPC inventory collection is triggered automatically for it. The AWS infrastructure constructs resources that get discovered by VPC inventory collection for that cloud access key that can then be viewed and used for cloud provisioning of CSRs and WLCs.

Before you begin

  • Obtain the access key ID and secret key from the Amazon Web Services (AWS) console.

  • Subscribe to CSR or WLC products in the AWS marketplace and verify the image ID for the target region.

  • Identify the key pair that CSRs will use during HA failover on AWS. The key pair's name is selected from a list in Cisco DNA Center when provisioning CSRs in that region.

  • Identify the IAM role that CSRs will use during HA failover on AWS. The IAM role is selected from a list in Cisco DNA Center when provisioning CSRs.

  • Configure the proxy for Cisco DNA Center to communicate with AWS via HTTPS REST APIs. See Configure the Proxy.

  • The Cloud Connect extension to the eNFV app is enabled by deploying a separate Cloud Device Provisioning Application package. The package is not included by default in the standard Cisco DNA Center installation. You must download and install the package from a catalog server. For more information, see Download and Install Packages and Updates.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Cloud Access Keys.

Step 2

Click .

Step 3

Enter the Access Key Name and choose the Cloud Platform from the drop-down list. Enter the Access Key ID and Secret Key obtained from the AWS console.

Step 4

Click Save and Discover.


What to do next

  • After a cloud access key is added, AWS VPC inventory collection is triggered automatically for it. It takes several minutes to synchronize with the cloud platform. Inventory collection is scheduled to occur at the default interval.

  • After successful cloud inventory collection, the Cloud tab in the Provision section provides a view of the collected AWS VPC inventory.

Integrity Verification

Integrity Verification (IV) monitors key device data for unexpected changes or invalid values that indicate possible compromise, if any, of the device. The objective is to minimize the impact of a compromise by substantially reducing the time to detect unauthorized changes to a Cisco device.


Note

For this release, IV runs integrity verification checks on software images that are uploaded into Cisco DNA Center. To run these checks, the IV service needs the Known Good Value (KGV) file to be uploaded.


Upload the KGV File

To provide security integrity, Cisco devices must be verified as running authentic and valid software. Currently, Cisco devices have no point of reference to determine whether they are running authentic Cisco software. IV uses a system to compare the collected image integrity data with the KGV for Cisco software.

Cisco produces and publishes a KGV data file that contains KGVs for many of its products. This KGV file is in standard JSON format, is signed by Cisco, and is bundled with other files into a single KGV file that can be retrieved from the Cisco website. The KGV file is posted at:

https://tools.cisco.com/cscrdr/security/center/files/trust/Cisco_KnownGoodValues.tar

The KGV file is imported into IV and used to verify integrity measurements obtained from the network devices.


Note

Device integrity measurements are made available to and used entirely within the IV. Connectivity between IV and cisco.com is not required. The KGV file can be air-gap transferred into a protected environment and loaded into the IV.


Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > External Services > Integrity Verification.

Step 2

Review the current KGV file information:

  • File Name: Name of the KGV tar file.

  • Imported By: Cisco DNA Center user who imported the KGV file. If it is automatically downloaded, the value is System.

  • Imported Time: Time at which the KGV file is imported.

  • Imported Mode: Local or remote import mode.

  • Records: Records processed.

  • File Hash: File hash for the KGV file.

  • Published: Publication date of the KGV file.

Step 3

To import the KGV file, perform one of the following steps:

  • Click Import New from Local to import a KGV file locally.
  • Click Import Latest from Cisco to import a KGV file from cisco.com.
Note 

The Import Latest from Cisco option does not require a firewall setup. However, if a firewall is already set up, only the connections to https://tools.cisco.com must be open.

Step 4

If you clicked Import Latest from Cisco, a connection is made to cisco.com and the latest KGV file is automatically imported to Cisco DNA Center.

Note 

A secure connection to https://tools.cisco.com is made using the certificates added to Cisco DNA Center and its proxy (if one was configured during the first-time setup).

Step 5

If you clicked Import New from Local, the Import KGV window appears.

Step 6

Perform one of the following procedures to import locally:

  • Drag and drop a local KGV file into the Import KGV field.
  • Click Click here to select a KGV file from your computer to select a KGV file from a folder on your computer.
  • Click the Latest KGV file link and download the latest KGV file before dragging and dropping it into the Import KGV field.
Step 7

Click Import.

The KGV file is imported into Cisco DNA Center.

Step 8

After the import is finished, verify the current KGV file information in the UI to ensure that it has been updated.

IV automatically downloads the latest KGV file from cisco.com to your system 7 days after Cisco DNA Center is deployed. The auto downloads continue every 7 days. You can also download the KGV file manually to your local system and then import it to Cisco DNA Center. For example, if a new KGV file is available on a Friday and the auto download is every 7 days (on a Monday), you can download it manually.

The following KGV auto download information is displayed:

  • Frequency: The frequency of the auto download.

  • Last Attempt: The last time the KGV scheduler was triggered.

  • Status: The status of the KGV scheduler's last attempt.

  • Message: A status message.


What to do next

After importing the latest KGV file, choose Design > Image Repository to view the integrity of the imported images.


Note

The effect of importing a KGV file can be seen in the Image Repository window, if the images that are already imported have an Unable to verify status (physical or virtual). Additionally, future image imports, if any, will also refer to the newly uploaded KGV for verification.


Configure an IP Address Manager

You can configure Cisco DNA Center to communicate with an external IP address manager. When you use Cisco DNA Center to create, reserve, or delete any IP address pool, Cisco DNA Center conveys this information to your external IP address manager.

Before you begin

  • You should have an external IP address manager already set up and functional.

  • Import the IPAM certificate manually to the trustpool.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > External Services > IP Address Manager.

Step 2

In the IP Address Manager section, enter the required information in the following fields:

  • Server Name: Name of server.

  • Server URL: IP address of server.

  • Username: Required username for server access.

  • Password: Required password for server access.

  • Provider: Choose a provider from the drop-down list.

    Note 

    If you choose BlueCat as your provider, ensure that your user has been granted API access in the BlueCat Address Manager. See your BlueCat documentation for information about configuring API access for your user or users.

  • View: Choose a view from the drop-down list. If you only have one view configured, only default appears in the drop-down list.

Step 3

Click Apply to apply and save your settings.


What to do next

Click the System 360 tab and verify the information to ensure that your external IP address manager configuration succeeded.

Configure Debugging Logs

To assist in troubleshooting service issues, you can change the logging level for the Cisco DNA Center services.

A logging level determines the amount of data that is captured in the log files. Each logging level is cumulative; that is, each level contains all the data generated by the specified level and higher levels, if any. For example, setting the logging level to Info also captures Warn and Error logs. We recommend that you adjust the logging level to assist in troubleshooting issues by capturing more data. For example, by adjusting the logging level, you can capture more data to review in a root cause analysis or RCA support file.

The default logging level for services is informational (Info). You can change the logging level from informational to a different logging level (Debug or Trace) to capture more information.


Caution

Due to the type of information that might be disclosed, logs collected at the Debug level or higher should have restricted access.



Note

Log files are created and stored in a centralized location on your Cisco DNA Center host. From this location, Cisco DNA Center can query and display logs in the GUI. The total compressed size of the log files is 2 GB. If the log files exceed 2 GB, the newer log files overwrite the older ones.


Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > System Configuration > Debugging Logs.

The Debugging Logs window displays the following fields:

  • Services

  • Logger Name

  • Logging Level

  • Timeout

Step 2

From the Services drop-down list, choose a service to adjust its logging level.

The Services drop-down list displays the services that are currently configured and running on Cisco DNA Center.

Step 3

Enter the Logger Name.

This is an advanced feature that has been added to control which software components emit messages into the logging framework. Use this feature with care. Misuse of this feature can result in loss of information needed for technical support purposes. Log messages will be written only for the loggers (packages) specified here. By default, the Logger Name includes packages that start with com.cisco. You can enter additional package names as comma-separated values. Do not remove the default values unless you are explicitly directed to do so. Use * to log all packages.

Step 4

From the Logging Level drop-down list, choose the new logging level for the service.

Cisco DNA Center supports the following logging levels in descending order of detail:

  • Trace: Trace messages

  • Debug: Debugging messages

  • Info: Normal, but significant condition messages

  • Warn: Warning condition messages

  • Error: Error condition messages

Step 5

From the Timeout field, choose the time period for the logging level.

Configure logging-level time periods in increments of 15 minutes up to an unlimited time period. If you specify an unlimited time period, the default level of logging should be reset each time a troubleshooting activity is completed.

Step 6

Review your selection and click Apply.

(To cancel your selection, click Cancel.)


Configure the Network Resync Interval

You can update the polling interval at the global level for all devices by choosing System > Settings > Network Resync Interval. Or, you can update the polling interval at the device level for a specific device by choosing Device Inventory. When you set the polling interval using the Network Resync Interval, that value takes precedence over the Device Inventory polling interval value.

Before you begin

  • Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

  • Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Device Settings > Network Resync Interval.

Step 2

In the Resync Interval field, enter a new time value (in minutes).

Step 3

(Optional) Check the Override for all devices check box to override the existing configured polling interval for all devices.

Step 4

Click Save.


View Audit Logs

Audit logs capture information about the various applications running on Cisco DNA Center. Audit logs also capture information about device public key infrastructure (PKI) notifications. The information in these audit logs can be used to assist in troubleshooting issues, if any, involving the applications or the device PKI certificates.

Audit logs also record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system get logged in separate log files for auditing.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Activity > Audit Logs.

The Audit Logs window appears, where you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on Cisco DNA Center.

Step 2

Click the timeline slider to specify the time range of data you want displayed on the window:

  • In the Time Range area, choose a time range: Last 2 Weeks, Last 7 Days, Last 24 Hours, or Last 3 Hours.

  • To specify a custom range, click By Date and specify the start and end date and time.

  • Click Apply.

Step 3

Click the arrow next to an audit log to view the corresponding child audit logs.

Each audit log can be a parent to several child audit logs. By clicking the arrow, you can view a series of additional child audit logs.

Note 

An audit log captures data about a task performed by Cisco DNA Center. Child audit logs are subtasks to a task performed by Cisco DNA Center.

Step 4

(Optional) From the list of audit logs in the left pane, click a specific audit log message. In the right pane, click Event ID > Copy Event ID to Clipboard. With the copied ID, you can use the API to retrieve the audit log message based on event ID.

The audit log displays the Description, User, Interface, and Destination of each policy in the right pane.

Note 

The audit log displays northbound operation details such as POST, DELETE, and PUT with payload information, and southbound operation details such as the configuration pushed to a device. For detailed information about the APIs on Cisco DevNet, see Cisco DNA Center Platform Intent APIs.

Step 5

(Optional) Click Filter to filter the log by user ID or event ID.

Step 6

In the right pane, use the Search field to search for specific text in the log message.

Step 7

In the Cisco DNA Center GUI, click the Menu icon () and choose Activity > Scheduled Tasks to view upcoming, in progress, completed, and failed administrative tasks, such as OS updates or device replacements.


Activate High Availability

Complete the following procedure in order to activate high availability (HA) on your Cisco DNA Center cluster:

Procedure


Step 1

Click the Menu icon () in the Cisco DNA Center GUI and choose System > Settings > System Configuration > High Availability.

Step 2

Click Activate High Availability.

For more information about HA, see the Cisco DNA Center High Availability Guide.


Configure Integration Settings

In cases where firewalls or other rules exist between Cisco DNA Center and any third-party apps that need to reach the Cisco DNA Center platform, you will need to configure Integration Settings. These cases occur when the IP address of Cisco DNA Center is internally mapped to another IP address that connects to the internet or an external network.

Before you begin

You have installed the Cisco DNA Center platform as described in the previous section.

Procedure


Step 1

Enter the Callback URL Host Name or IP Address that the third-party app needs to connect to when communicating with the Cisco DNA Center platform.

Note 

The Callback URL Host Name or IP Address is the external facing host name or IP address that is mapped internally to Cisco DNA Center. Configure the VIP address for a three node cluster setup.

Step 2

Click the Apply button.


Set Up a Login Message

You can set a message that appears to all the users when they log in to Cisco DNA Center.

Before you begin

Only a user with SUPER-ADMIN-ROLE or CUSTOM-ROLE with system management permissions can perform this procedure.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > System Configuration > Login Message.

Step 2

Enter a text message in the Login Message text box.

Step 3

Click Save.

The message appears when you log in to Cisco DNA Center.

Step 4

If you want to remove the login message, click Clear in the Login Message screen.

Step 5

Click Save to update the settings.


Configure the Proxy

If Cisco DNA Center has a proxy server configured as an intermediary between itself and the network devices it manages or the Cisco cloud from which it downloads software updates, you must configure access to the proxy server. You configure access using the Proxy Config window in the Cisco DNA Center GUI.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > System Configuration > Proxy Config.

Step 2

Enter the proxy server's URL address.

Step 3

Enter the proxy server's port number.

For HTTP, the port number is usually 80.

Step 4

(Optional) If the proxy server requires authentication, enter the username and password for access to the proxy server.

Step 5

Check the Validate Settings check box to have Cisco DNA Center validate your proxy configuration settings when applying them.

Step 6

Review your selections and click Save.

To cancel your selection, click Reset. To delete an existing proxy configuration, click Delete.

Note the following:

  • After configuring the proxy, you are able to view the configuration in the Proxy Config window.

  • If SSL decryption is enabled on the proxy server that is configured between Cisco DNA Center and the Cisco cloud from which it downloads software updates, or a proxy is configured between Cisco DNA Center and the devices that it manages, proceed to Step 7.

  • If SSL decryption is not enabled on the proxy server that is configured between Cisco DNA Center and the Cisco cloud from which it downloads software updates, you can stop here.

Step 7

Import the proxy certificate into Cisco DNA Center.

See Configure Proxy Certificate.


Security for Cisco DNA Center

Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices that it monitors and manages. You must clearly understand and configure the security features correctly. We strongly recommend that you follow these security recommendations:

  • Deploy Cisco DNA Center behind a firewall that does not expose the management ports to an untrusted network, such as the internet.

  • Replace the self-signed server certificate from Cisco DNA Center with one signed by a well-known certificate authority (CA).

  • Upgrade Cisco DNA Center with critical upgrades, including security patches, as soon as possible after a patch announcement.

  • Open the DNS access control list (ACL) and ports that are used by Cisco DNA Center, coupled with known IP address ranges.


Note

We recommend that you configure a proxy gateway between Cisco DNA Center and the network devices it monitors and manages.

Change the TLS Version and Enable RC4-SHA (Not Secure)

Northbound REST API requests from the external network to Cisco DNA Center (from northbound REST API-based apps, browsers, and network devices connecting to Cisco DNA Center using HTTPS) are made secure using the Transport Layer Security (TLS) protocol. You have an option to change the TLS version and enable RC4-SHA (a stream cipher) if your network devices under Cisco DNA Center control cannot support the existing TLS version or ciphers. For security reasons, however, we do not recommend that you downgrade your TLS version or enable RC4-SHA ciphers.

If you need to change the TLS version or enable RC4-SHA for Cisco DNA Center, you do so by logging in to the appliance and using the CLI.


Note

CLI commands can change from one release to the next. The following CLI example uses command syntax that might not apply to all Cisco DNA Center releases.

Before you begin

You must have maglev SSH access privileges to perform this procedure.


Important

This security feature applies to port 443 on Cisco DNA Center. Performing this procedure may disable traffic on the port to the Cisco DNA Center infrastructure for a few seconds. For this reason, you should configure TLS infrequently and only during off-peak hours or during a maintenance period.

Procedure


Step 1

Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard.

The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This IP address connects the appliance to the external network.

Step 2

When prompted, enter your username and password for SSH access.

Step 3

Enter the following command to check the TLS version currently enabled on the cluster.

Example
Input
$ magctl service tls_version --tls-min-version show
Output
TLS minimum version is 1.1
Step 4

If you want to change the TLS version on the cluster, enter the following commands. For example, you might want to change the current TLS version to a lower version if your network devices under Cisco DNA Center control cannot support the existing TLS version.

Example: Change from TLS version 1.1 to 1.0
Input
$ magctl service tls_version --tls-min-version 1.0
Output
Enabling TLSv1.0 is recommended only for legacy devices
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.0 for api-gateway
deployment.extensions/kong patched
Example: Change from TLS version 1.1 to 1.2 (only allowed if you haven't enabled RC4-SHA)
Input
$ magctl service tls_version --tls-min-version 1.2
Output
Enabling TLSv1.2 will disable TLSv1.1 and below
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.2 for api-gateway
deployment.extensions/kong patched
Note 
Setting TLS version 1.2 as the minimum version is not supported when RC4-SHA ciphers are enabled.
Step 5

Enter the following command to enable RC4-SHA on the cluster (not secure; proceed only if needed).

Enabling RC4-SHA ciphers is not supported when TLS version 1.2 is the minimum version.

Example: TLS version 1.2 is not enabled
Input
$ magctl service ciphers --ciphers-rc4=enable kong
Output
Enabling RC4-SHA cipher will have security risk
Do you want to continue? [y/N]: y
WARNING: Enabling RC4-SHA Cipher for kong
deployment.extensions/kong patched
Step 6

Enter the following command at the prompt to confirm that TLS and RC4-SHA are configured.

Example
Input
$ magctl service display kong 
Output
      containers:
      - env:
        - name: TLS_V1
          value: "1.1"
        - name: RC4_CIPHERS
          value: "true"

If RC4 and TLS minimum versions are set, they are listed in the env: of the magctl service display kong command. If these values are not set, they do not appear in the env:.

Step 7

If you want to disable the RC4-SHA ciphers that you enabled previously, enter the following command on the cluster.

Input
$ magctl service ciphers --ciphers-rc4=disable kong
Output
WARNING: Disabling RC4-SHA Cipher for kong
deployment.extensions/kong patched
Step 8

Log out of the Cisco DNA Center appliance.


Configure Proxy Certificate

In some network configurations, proxy gateways might exist between Cisco DNA Center and the remote network it manages (containing various network devices). Common ports, such as 80 and 443, pass through the gateway proxy in the DMZ, and for this reason, SSL sessions from the network devices meant for Cisco DNA Center terminate at the proxy gateway. Therefore, the network devices located within these remote networks can only communicate with Cisco DNA Center through the proxy gateway. For the network devices to establish secure and trusted connections with Cisco DNA Center, or, if present, a proxy gateway, the network devices should have their PKI trust stores appropriately provisioned with the relevant CA root certificates or the server’s own certificate under certain circumstances.

If such a proxy is in place during onboarding of devices through PnP Discovery/Services, we recommend that the proxy and the Cisco DNA Center server certificate be the same so that network devices can trust and authenticate Cisco DNA Center securely.

In network topologies where a proxy gateway is present between Cisco DNA Center and the remote network it manages, perform the following procedure to import a proxy gateway certificate in to Cisco DNA Center.

Before you begin

  • Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

  • You must use the proxy gateway's IP address to reach Cisco DNA Center and its services.

  • You should have the certificate file that is currently being used by the proxy gateway. The certificate file contents should consist of any of the following:

    • The proxy gateway’s certificate in PEM or DER format, with the certificate being self-signed.

    • The proxy gateway’s certificate in PEM or DER format, with the certificate being issued by a valid, well-known CA.

    • The proxy gateway's certificate and its chain in PEM or DER format.

The certificate used by the devices and the proxy gateway must be imported in to Cisco DNA Center by following this procedure.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > Proxy Certificate.

Step 2

In the Proxy Certificate window, view the current proxy gateway certificate data (if it exists).

Note 

The Expiration Date and Time is displayed as a Greenwich Mean Time (GMT) value. A system notification will appear in Cisco DNA Center's GUI two months before the date and time at which the certificate expires.

Step 3

To add a proxy gateway certificate, drag and drop the self-signed or CA certificate into the Drag and Drop Here area.

Note 

Only PEM or DER files (public-key cryptography standard file formats) can be imported into Cisco DNA Center using this area. Additionally, private keys are neither required nor uploaded into Cisco DNA Center for this procedure.

Step 4

Click Save.

Step 5

Refresh the Proxy Certificate window to view the updated proxy gateway certificate data.

The information displayed in the Proxy Certificate window should have changed to reflect the new certificate name, issuer, and certificate authority.
Step 6

Click the Enable button to enable the proxy gateway certificate functionality.

If you click the Enable button, the controller will return the imported proxy gateway certificate when requested by a proxy gateway. If you don't click the Enable button, the controller will return its own self-signed or imported CA certificate to the proxy gateway.

The Enable button is dimmed if the proxy gateway certificate functionality is used.


Certificate and Private Key Support

Cisco DNA Center supports the PKI Certificate Management feature, which is used to authenticate sessions (HTTPS). These sessions use commonly recognized trusted agents called CAs. Cisco DNA Center uses the PKI Certificate Management feature to import, store, and manage X.509 certificates from well-known CAs. The imported certificate becomes an identity certificate for Cisco DNA Center, and Cisco DNA Center presents this certificate to its clients for authentication. The clients are the northbound API applications and network devices.

You can import the following files (in either PEM or PKCS file format) using the Cisco DNA Center GUI:

  • X.509 certificate

  • Private key


Note

For the private key, Cisco DNA Center supports the import of RSA keys. You should not import DSA, DH, ECDH, and ECDSA key types, because they are not supported. You should also keep the private key secure in your own key management system. The private key must have a minimum modulus size of 2048 bits.


Prior to import, you must obtain a valid X.509 certificate and private key issued by a well-known CA and the certificate must correspond to a private key in your possession. After import, the security functionality based on the X.509 certificate and private key is automatically activated. Cisco DNA Center presents the certificate to any device or application that requests it. Northbound API applications and network devices can use these credentials to establish a trust relationship with Cisco DNA Center.


Note

We recommend that you do not use and import a self-signed certificate into Cisco DNA Center. We recommend that you import a valid X.509 certificate from a well-known CA. Additionally, you must replace the self-signed certificate (installed in Cisco DNA Center by default) with a certificate that is signed by a well-known CA for the PnP functionality to work correctly.


Cisco DNA Center supports only one imported X.509 certificate and private key at a time. When you import a second certificate and private key, the latter overwrites the first (existing) imported certificate and private key values.

Certificate Chain Support

Cisco DNA Center is able to import certificates and private keys through its GUI. If subordinate certificates are involved in a certificate chain leading to the certificate that is to be imported into Cisco DNA Center (signed certificate), both the subordinate certificates as well as the root certificate of these subordinate CAs must be appended together into a single file to be imported. When appending these certificates, you must append them in the same order as the actual chain of certification.

The following certificates should be pasted together into a single PEM file. Review the certificate subject name and issuer to ensure that the correct certificates are being imported and correct order is maintained. Ensure that all of the certificates in the chain are pasted together.

  • Signed Cisco DNA Center certificate: Its Subject field includes CN=<FQDN of Cisco DNA Center>, and the issuer has the CN of the issuing authority.


    Note

    If you install a third-party certificate, ensure that the certificate specifies all of the IP addresses (for both physical ports and VIPs) and DNS names that are used to access Cisco DNA Center in the alt_names section. For more information, see "Generate a Certificate Request Using Open SSL" in the Cisco DNA Center Security Best Practices Guide.


  • Issuing (subordinate) CA certificate that issues the Cisco DNA Center certificate: Its Subject field has CN of the (subordinate) CA that issues the Cisco DNA Center certificate, and the issuer is that of the root CA.

  • Next issuing (root/subordinate CA) certificate that issues the subordinate CA certificate: Its Subject field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, you must append the next issuer, and so on.

Update the Cisco DNA Center Server Certificate

Cisco DNA Center supports the import and storage of an X.509 certificate and private key into Cisco DNA Center. After import, the certificate and private key can be used to create a secure and trusted environment between Cisco DNA Center, northbound API applications, and network devices.

You can import a certificate and a private key using the Certificate window in the GUI.

Before you begin

you must obtain a valid X.509 certificate issued by a well-known CA and the certificate must correspond to a private key in your possession.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > Certificate.

Step 2

In the Certificate window, view the current certificate data.

When you first view this window, the current certificate data that is displayed is the Cisco DNA Center self-signed certificate. The self-signed certificate's expiry is set for several years in the future.

Note 

The Expiration Date and Time is displayed as a Greenwich mean time (GMT) value. A system notification appears in the Cisco DNA Center GUI two months before the certificate expires.

The additional fields that are displayed in the Certificate window include:

  • Current Certificate Name: Name of the current certificate

  • Issuer: Name of the entity that has signed and issued the certificate

  • Certificate Authority: Either self-signed or the name of the CA

  • Expires On: Expiry date of the certificate

Step 3

To replace the current certificate, click Replace Certificate.

The following new fields appear:

  • Certificate: Fields to enter certificate data

  • Private Key: Fields to enter private key data

Step 4

From the Certificate drop-down list, choose the file format type for the certificate that you are importing into Cisco DNA Center:

  • PEM: Privacy-enhanced mail file format

  • PKCS: Public-Key Cryptography Standard file format

Step 5

If you choose PEM, perform the following tasks:

  • For the Certificate field, import the PEM file by dragging and dropping the file into the Drag n' Drop a File Here area.

    Note 

    A PEM file must have a valid PEM format extension (.pem, .cert, .crt). The maximum file size for the certificate is 10 KB.

  • For the Private Key field, import the private key by dragging and dropping the file into the Drag n' Drop a File Here area.

    • Choose the encryption option from the Encrypted drop-down list for the private key.

    • If you chose encryption, enter the passphrase for the private key in the Passphrase field.

      Note 

      Private keys must have a valid private key format extension (.pem or .key).

Step 6

If you choose PKCS, perform the following tasks:

  • For the Certificate field, import the PKCS file by dragging and dropping the file into the Drag n' Drop a File Here area.

    Note 

    A PKCS file must have a valid PKCS format extension (.pfx, .p12). The maximum file size for the certificate is 10 KB.

  • For the Certificate field, enter the passphrase for the certificate in the Passphrase field.

    Note 

    For PKCS, the imported certificate also requires a passphrase.

  • For the Private Key field, choose the encryption option for the private key.

  • For the Private Key field, if encryption is chosen, enter the passphrase for the private key in the Passphrase field.

Step 7

Click Upload/Activate.

Step 8

Return to the Certificate window to view the updated certificate data.

The information displayed in the Certificate window should have changed to reflect the new certificate name, issuer, and the certificate authority.

Certificate Management

Configure the Device Certificate Lifetime

Cisco DNA Center lets you change the certificate lifetime of network devices that are managed and monitored by the private (internal) Cisco DNA Center CA. The Cisco DNA Center default value for the certificate lifetime is 365 days. After the certificate lifetime value is changed using the Cisco DNA Center GUI, network devices that subsequently request a certificate from Cisco DNA Center are assigned this lifetime value.


Note

The device certificate lifetime value cannot exceed the CA certificate lifetime value. Additionally, if the remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device gets a certificate lifetime value that is equal to the remaining CA certificate lifetime.


You can change the device certificate lifetime using the PKI Certificate Management window in the GUI.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > PKI Certificate.

Step 2

Click the Device Certificate tab.

Step 3

Review the device certificate and the current device certificate lifetime.

Step 4

In the Device Certificate Lifetime field, enter a new value, in days.

Step 5

Click Apply.

Step 6

(Optional) Refresh the PKI Certificate Management window to confirm the new device certificate lifetime value.


Change the Role of the PKI Certificate from Root to Subordinate

The device PKI CA, a private CA that is provided by Cisco DNA Center, manages the certificates and keys used to establish and secure server-client connections. To change the role of the device PKI CA from a root CA to a subordinate CA, complete the following procedure.

When changing the private Cisco DNA Center CA from a root CA to a subordinate CA, note the following:

  • If you intend to have Cisco DNA Center act as a subordinate CA, it is assumed that you already have a root CA, for example, Microsoft CA, and you are willing to accept Cisco DNA Center as a subordinate CA.

  • As long as the subordinate CA is not fully configured, Cisco DNA Center continues to operate as an internal root CA.

  • You must generate a Certificate Signing Request file for Cisco DNA Center (as described in the following procedure) and have it manually signed by your external root CA.


    Note

    Cisco DNA Center continues to run as an internal root CA during this time period.


  • After the Certificate Signing Request is signed by the external root CA, this signed file must be imported back into Cisco DNA Center using the GUI (as described in the following procedure).

    After the import, Cisco DNA Center initializes itself as the subordinate CA and provides all the existing functionalities of a subordinate CA.

  • The switchover from the internal root CA to the subordinate CA used by managed devices is not automatically supported. Therefore, it is assumed that no devices have been configured with the internal root CA yet. If devices are configured, it is the responsibility of the network administrator to manually revoke the existing device ID certificates before switching to the subordinate CA.

  • The subordinate CA certificate lifetime, as displayed in the GUI, is just read from the certificate; it is not computed against the system time. Therefore, if you install a certificate with a lifespan of 1 year today and look at it in the GUI next July, the GUI will still show that the certificate has a 1-year lifetime.

  • The subordinate CA certificate must be in PEM or DER format only.

  • The subordinate CA does not interact with the higher CAs; therefore, it is not aware of revocation, if any, of the certificates at a higher level. Due to this, any information about certificate revocation is also not communicated from the subordinate CA to the network devices. Because the subordinate CA does not have this information, all the network devices use only the subordinate CA as the Cisco Discovery Protocol (CDP) source.

You can change the role of the private (internal) Cisco DNA Center CA from a root CA to a subordinate CA using the PKI Certificate Management window in the GUI.

Before you begin

You must have a copy of the root CA certificate.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > PKI Certificate.

Step 2

Click the CA Management tab.

Step 3

Review the existing root or subordinate CA certificate configuration information from the GUI:

  • Root CA Certificate: Displays the current root CA certificate (either external or internal).

  • Root CA Certificate Lifetime: Displays the current lifetime value of the current root CA certificate, in days.

  • Current CA Mode: Displays the current CA mode (root CA or subordinate CA).

  • Change to Sub CA mode: Enables a change from a root CA to a subordinate CA.

Step 4

In the CA Management tab, for Change to Sub CA mode, click Yes.

Step 5

Click Next.

Step 6

Review the Root CA to Sub CA warnings that appear:

  • Changing from root CA to subordinate CA is a process that cannot be reversed.

  • You must ensure that no network devices have been enrolled or issued a certificate in root CA mode. Network devices that have been accidentally enrolled in root CA mode must be revoked before changing from root CA to subordinate CA.

  • Network devices must come online only after the subordinate CA configuration process finishes.

Step 7

Click OK to proceed.

The PKI Certificate Management window displays the Import External Root CA Certificate field.

Step 8

Drag and drop your root CA certificate into the Import External Root CA Certificate field and click Upload.

The root CA certificate is uploaded into Cisco DNA Center and used to generate a Certificate Signing Request.

After the upload process finishes, a Certificate Uploaded Successfully message appears.

Step 9

Click Next.

Cisco DNA Center generates and displays the Certificate Signing Request.

Step 10

View the Cisco DNA Center-generated Certificate Signing Request in the GUI and perform one of the following actions:

  • Click the Download link to download a local copy of the Certificate Signing Request file.

    You can then attach this Certificate Signing Request file to an email to send to your root CA.

  • Click the Copy to the Clipboard link to copy the Certificate Signing Request file's content.

    You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.

Step 11

Send the Certificate Signing Request file to your root CA.

Your root CA will then return a subordinate CA file, which you must import back into Cisco DNA Center.

Step 12

After receiving the subordinate CA file from your root CA, access the Cisco DNA Center GUI again and return to the PKI Certificate Management window.

Step 13

Click the CA Management tab.

Step 14

Click Yes for the Change CA mode button.

After clicking Yes, the GUI view with the Certificate Signing Request is displayed.

Step 15

Click Next.

The PKI Certificate Management window displays the Import Sub CA Certificate field.

Step 16

Drag and drop your subordinate CA certificate into the Import Sub CA Certificate field and click Apply.

The subordinate CA certificate is uploaded into Cisco DNA Center.

After the upload finishes, the GUI displays the subordinate CA mode under the CA Management tab.

Step 17

Review the fields under the CA Management tab:

  • Sub CA Certificate: Displays the current subordinate CA certificate.

  • External Root CA Certificate: Displays the root CA certificate.

  • Sub CA Certificate Lifetime: Displays the lifetime value of the subordinate CA certificate, in days.

  • Current CA Mode: Displays SubCA mode.


Provision a Rollover Subordinate CA Certificate

Cisco DNA Center lets you apply a subordinate certificate as a rollover subordinate CA when 70 percent of the existing subordinate CA's lifetime has elapsed.

Before you begin

  • To initiate subordinate CA rollover provisioning, you must have changed the PKI certificate role to subordinate CA mode. See Change the Role of the PKI Certificate from Root to Subordinate.

  • Seventy percent or more of the lifetime of the current subordinate CA certificate must have expired. When this occurs, Cisco DNA Center displays a Renew button under the CA Management tab.

  • You must have a signed copy of the rollover subordinate CA PKI certificate.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > PKI Certificate.

Step 2

Click the CA Management tab.

Step 3

Review the CA certificate configuration information:

  • Subordinate CA Certificate: Displays the current subordinate CA certificate.

  • External Root CA Certificate: Displays the root CA certificate.

  • Subordinate CA Certificate Lifetime: Displays the lifetime value of the current subordinate CA certificate, in days.

  • Current CA Mode: Displays SubCA mode.

Step 4

Click Renew.

Cisco DNA Center uses the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request.

Step 5

View the generated Certificate Signing Request in the GUI and perform one of the following actions:

  • Click the Download link to download a local copy of the Certificate Signing Request file.

    You can then attach this Certificate Signing Request file to an email to send it to your root CA.

  • Click the Copy to the Clipboard link to copy the Certificate Signing Request file's content.

    You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.

Step 6

Send the Certificate Signing Request file to your root CA.

Your root CA will then return a rollover subordinate CA file that you must import back into Cisco DNA Center.

The Certificate Signing Request for the subordinate CA rollover must be signed by the same root CA who signed the subordinate CA you imported when you switched from RootCA mode to SubCA mode.

Step 7

After receiving the rollover subordinate CA file from your root CA, return to the PKI Certificate Management window.

Step 8

Click the CA Management tab.

Step 9

Click Next in the GUI in which the Certificate Signing Request is displayed.

The PKI Certificate Management window displays the Import Sub CA Certificate field.

Step 10

Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Apply.

The rollover subordinate CA certificate is uploaded into Cisco DNA Center.

After the upload finishes, the GUI changes to disable the Renew button under the CA Management tab.


Renew Certificates

Cisco DNA Center uses a number of certificates, such as the ones generated by Kubernetes and the ones used by Kong and Credential Manager Services. These certificates are valid for one year, which starts as soon as you install your cluster. Cisco DNA Center automatically renews these certificates for another year before they are set to expire.

  • We recommend that you renew certificates before they expire, not after.

  • You can only renew certificates that are set to expire up to 100 days from now. This procedure does not do anything to certificates that will expire later than that.

  • The script refreshes only self-signed certificates, not third-party/certificate authority (CA)-signed certificates. For third-party/CA-signed certificates, the script updates the internal certificates used by Kubernetes and the Credential Manager.

  • For self-signed certificates, the renewal process does not require you to push certificates back out to devices, because the root CA is unchanged.

  • The term cluster applies to both single-node and three-node Cisco DNA Center setups.

Procedure


Step 1

Ensure that each cluster node is healthy and not experiencing any issues.

Step 2

To view a list of the certificates that are currently used by that node and their expiration date, enter the following command:

sudo maglev-config certs info
Step 3

Renew the certificates that are set to expire soon by entering the following command:

sudo maglev-config certs refresh
Step 4

Repeat the preceding steps for the other cluster nodes.

Step 5

For utility help, enter:

$ sudo maglev-config certs --help
Usage: maglev-config certs [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  info
  refresh

Configure Trustpool

Cisco DNA Center contains a preinstalled Cisco trustpool bundle (Cisco Trusted External Root Bundle). Cisco DNA Center also supports the import and storage of an updated trustpool bundle from Cisco. The trustpool bundle is used by supported Cisco networking devices to establish a trust relationship with Cisco DNA Center and its applications.


Note

The Cisco trustpool bundle is a file called ios.p7b that only supported Cisco devices can unbundle and use. This ios.p7b file contains root certificates of valid certificate authorities, including Cisco. This Cisco trustpool bundle is available on the Cisco cloud (Cisco InfoSec). The link is located at https://www.cisco.com/security/pki/.


The trustpool bundle provides you with a safe and convenient way to use the same CA to manage all your network device certificates, as well as your Cisco DNA Center certificate. The trustpool bundle is used by Cisco DNA Center to validate its own certificate as well as a proxy gateway certificate (if any), to determine whether it is a valid CA-signed certificate. Additionally, the trustpool bundle is available for upload to Network PnP-enabled devices at the beginning of their PnP workflow so that they can trust Cisco DNA Center for subsequent HTTPS-based connections.

You import the Cisco trust bundle using the Trustpool window in the GUI.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > Trustpool.

Step 2

In the Trustpool window, click the Update button to initiate a new download and install of the trustpool bundle.

The Update button becomes active only when an updated version of the ios.p7b file is available and internet access is available.

After the new trustpool bundle is downloaded and installed on Cisco DNA Center, Cisco DNA Center makes this trustpool bundle available to supported Cisco devices for download.

Step 3

If you want to import a new certificate file, click Import, choose a valid certificate file from your local system, and click Import in the Import Certificate window.

Step 4

Click Export to export the certificate details in CSV format.


Configure the SFTP Server

The SFTP server can be used as a backup of an internal file server. The local SFTP server in Cisco DNA Center supports secure ciphers.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Device Settings > SFTP.

Step 2

Configure the SFTP settings:

  • Host: Hostname or IP address of the SFTP server.

  • Username: Name that is used to log in to the SFTP server. The username must have read/write privileges on the working root directory on the server.

  • Password: Password that is used to log in to the SFTP server.

  • Port Number: Port number on which the SFTP server is running.

  • Root Location: Working root directory for file transfers.

Step 3

Because some legacy wireless controller software versions support only weak ciphers (such as SHA1-based ciphers) for SFTP, Cisco DNA Center should enable SFTP compatibility mode for SFTP connections from wireless controllers for software image management and wireless assurance. You can temporarily enable support for weak ciphers on the Cisco DNA Center SFTP server for up to 90 days. To allow weak ciphers, check the Compatibility mode check box and then enter a duration (from 1 minute to 90 days).

Step 4

Click Save.

Step 5

Review the new SFTP settings in the SFTP window.


Configure SNMP Properties

You can configure retry and timeout values for SNMP.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Device Settings > SNMP.

Step 2

Configure the following fields:

  • Retries: Number of attempts allowed to connect to the device. Valid values are from 1 to 3. The default is 3.

  • Timeout: Number of seconds Cisco DNA Center waits when trying to establish a connection with a device before timing out. Valid values are from 1 to 300 seconds in intervals of 5 seconds. The default is 5 seconds.

Step 3

Click Apply.

Step 4

(Optional) To return to the default settings, click Revert to Defaults.


About Product Usage Telemetry Collection

The Cisco DNA Center collects product usage telemetry and provides valuable data about the status and capabilities of Cisco DNA Center appliance. The data and insights enable Cisco to proactively address operational and product usage issues. The product usage telemetry data is locally collected in the Cisco DNA Center appliance and is sent to Cisco Connected DNA. All data transmitted to Cisco is through an encrypted channel. The encrypted channel is also used for other purposes such as cloud-delivered software updates.


Note

Product usage telemetry collection cannot be disabled.

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings, and then choose Terms and Conditions > Telemetry Collection. You can review the license agreement, the privacy data, and the Cisco privacy statement from the Telemetry Collection page.

The collection of product usage telemetry will be enabled by default. We recommend you to contact Cisco Technical Assistance Center (TAC) for the following:

  • Change telemetry settings.

  • Any other specific questions or requests related to telemetry.

Configure vManage Properties

Cisco DNA Center supports Cisco's vEdge deployment by using integrated vManage setups. You can save the vManage details from the Settings page before provisioning any vEdge topologies.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > External Services > VManage.

Step 2

Configure the vManage Properties:

  • Host Name/IP Address: IP address of vManage.

  • Username: Name that is used to log in to vManage.

  • Password: Password that is used to log in to vManage.

  • Port Number: Port that is used to log in to vManage.

  • vBond Host Name/IP Address: IP address of vBond. Required if you are using vManage to manage NFV.

  • Organization Name: Name of the organization. Required if you are using vManage to manage NFV.

Step 3

To upload the vManage certificate, click Select a file from your computer.

Step 4

Click Save.


Account Lockout

You can configure the account lockout policy to manage user login attempts, the account lockout period, and the number of login retries.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > Account Lockout.

Step 2

Click the Enforce Account Lockout toggle button so that you see a check mark.

Step 3

Enter values for the following Enforce Account Lockout parameters:

  • Maximum Login Retries

  • Lockout Effective Periods (minutes)

  • Reset Login Retries after (minutes)

Note 

Hover over Info to view details for each parameter.

Step 4

Click Save to set the account lockout settings.


Password Expiry

You can configure the password expiration policy to manage the password expiration frequency, the number of days that users are notified before their password expires, and the grace period.

Procedure


Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > Password Expiry.

Step 2

Click the Enforce Password Expiry toggle button so that you see a check mark.

Step 3

Enter values for the following Enforce Password Expiry parameters:

  • Password Expiry Period (days)

  • Password Expiration Warning (days)

  • Grace Period (days)

Note 

Hover over Info to view details for each parameter.

Step 4

Click Save to set the password expiry settings.