Complete First-Time Setup

First-Time Setup Workflow

After you finish configuring all of the Cisco DNA Center appliances you have installed, perform the tasks described in this chapter to prepare Cisco DNA Center for production use. Note the following points:

  • For the parameter information you need to complete this work, see Required First-Time Setup Information.

  • If you plan to deploy high availability (HA) in your production environment, you will need to redistribute services among your cluster nodes to optimize HA operation (see Activate High Availability). Complete this step after you have configured the SNMP settings for your appliances.

Compatible Browsers

The Cisco DNA Center GUI is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: Version 73.0 or later.

  • Mozilla Firefox: Version 65.0 or later.

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

Complete the Quick Start Workflow

After you have installed and configured the Cisco DNA Center appliance, you can log in to its GUI. Use a compatible, HTTPS-enabled browser when accessing Cisco DNA Center.

When you log in for the first time as the admin superuser (with the username admin and the SUPER-ADMIN-ROLE assigned), the Quick Start workflow automatically starts. Complete this workflow to discover the devices that Cisco DNA Center will manage and enable the collection of telemetry from those devices.

Before you begin

To log in to Cisco DNA Center and complete the Quick Start workflow, you will need:

Procedure

Step 1

After the Cisco DNA Center appliance reboot is completed, launch your browser.

Step 2

Enter the host IP address to access the Cisco DNA Center GUI, using HTTPS:// and the IP address of the Cisco DNA Center GUI that was displayed at the end of the configuration process.

After entering the IP address, one of the following messages appears (depending on the browser you are using):

  • Google Chrome: Your connection is not private

  • Mozilla Firefox: Warning: Potential Security Risk Ahead

Step 3

Ignore the message and click Advanced.

One of the following messages appears:

  • Google Chrome: 
    This server could not prove that it is GUI-IP-address; its security certificate is not trusted by your computer's
 operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
  • Mozilla Firefox: 
    Someone could be trying to impersonate the site and you should not continue.

Websites prove their identity via certificates. Firefox does not trust GUI-IP-address because its certificate issuer is unknown,
the certificate is self-signed, or the server is not sending the correct intermediate certificates.

These messages appear because the controller uses a self-signed certificate. For information on how Cisco DNA Center uses certificates, see the "Certificate and Private Key Support" section in the Cisco DNA Center Administrator Guide.

Step 4

Ignore the message and do one of the following:

  • Google Chrome: Click the Proceed to GUI-IP-address (unsafe) link.

  • Mozilla Firefox: Click Accept the Risk and Continue.

The Cisco DNA Center login screen appears.

Step 5

Enter the admin's username (admin) and password that you set when you configured Cisco DNA Center, then click Log In.

In the resulting screen, you are prompted to specify a new admin password (as a security measure).
Step 6

Do the following, then click Next:

  1. Enter the same admin password you specified in Step 5.

  2. Enter and confirm a new admin password.
Step 7

In the resulting screen, enter your cisco.com username and password and then click Next.

These credentials are used to register software downloads and receive system communications.

The Terms & Conditions screen opens, providing links to the software End User License Agreement (EULA) and any supplemental terms that are currently available.

Step 8

After reviewing these documents, click Next to accept the EULA.

The Quick Start Overview slider opens. Click > to view a description of the tasks that the Quick Start workflow will help you complete in order to start using Cisco DNA Center.

Step 9

Complete the Quick Start workflow:

  1. Click Let's Do it.

  2. In the Discover Devices: Provide IP Ranges screen, enter the following information and then click Next:

    • The name for the device discovery job.

    • The IP address ranges of the devices you want to discover. Click + to enter additional ranges.

    • Specify whether you want to designate your appliance's loopback address as its preferred management IP address. For more information, see the "Preferred Management IP Address" topic in the Cisco DNA Center User Guide.

  3. In the Discover Devices: Provide Credentials screen, enter the information described in the following table for the type of credentials you want to configure and then click Next:

    Field

    Description

    CLI (SSH) Credentials

    Username

    Username used to log in to the CLI of the devices in your network.

    Password

    Password used to log in to the CLI of the devices in your network.

    Name/Description

    Name or description of the CLI credentials.

    Enable Password

    Password used to enable a higher privilege level in the CLI. Configure this password only if your network devices require it.

    SNMP Credentials: SNMPv2c Read tab

    Name/Description

    Name or description of the SNMPv2c read community string.

    Community String

    Read-only community string password used only to view SNMP information on the device.

    SNMP Credentials: SNMPv2c Write tab

    Name/Description

    Name or description of the SNMPv2c write community string.

    Community String

    Write community string used to make changes to the SNMP information on the device.

    SNMP Credentials: SNMPv3

    Name/Description

    Name or description of the SNMPv3 credentials.

    Username

    Username associated with the SNMPv3 credentials.

    Mode

    Security level that SNMP messages require:

    • No Authentication, No Privacy (noAuthnoPriv): Does not provide authentication or encryption.

    • Authentication, No Privacy (authNoPriv): Provides authentication, but does not provide encryption.

    • Authentication and Privacy (authPriv): Provides both authentication and encryption.

    Authentication Password

    Password required to gain access to information from devices that use SNMPv3. The password must be at least eight characters in length. Note the following points:

    • Some wireless controllers require that passwords be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

    • Passwords are encrypted for security reasons and are not displayed in the configuration.

    Authentication Type

    Hash-based Message Authentication Code (HMAC) type used when either Authentication and Privacy or Authentication, No Privacy is set as the authentication mode:

    • SHA: HMAC-SHA authentication.

    • MD5: HMAC-MD5 authentication.

    Privacy Type

    Privacy type used when Authentication and Privacy is set as the authentication mode:

    • DES: 56-bit DES encryption.

      Note 

      DES encryption is being deprecated and will be removed in a future release.

    • AES128: 128-bit AES encryption.

    • None: No privacy.

    Privacy Password

    Password used to generate the secret key for encrypting messages that are exchanged with devices that support DES or AES128 encryption. Passwords must be at least eight characters long. Note the following points:

    • Some wireless controllers require that passwords be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

    • Passwords are encrypted for security reasons and are not displayed in the configuration.

    NETCONF

    Port

    The NETCONF port that Cisco DNA Center should use in order to discover wireless controllers that run Cisco IOS-XE.

  4. In the Create Site screen, group the devices you are going to discover into one site in order to facilitate telemetry and then click Next.

    You can enter the site's information manually or click the location you want to use in the provided map.

  5. In the Enable Telemetry screen, check the network components that you want Cisco DNA Center to collect telemetry for and then click Next.

    To open a pop-up window that lists the commands Cisco DNA Center will send to enable telemetry on a particular component, click its View Sample Commands link.

  6. In the Summary screen, review the settings that you have entered and then do one of the following:

    • If you want to make changes, click the appropriate Edit link to open the relevant screen.

    • If you're happy with the settings, click Start Discovery and Telemetry. Cisco DNA Center validates your settings to ensure that they will not result in any issues. After validation is complete, the screen updates.

      Cisco DNA Center begins the process of discovering your network's devices and enabling telemetry for the network components you selected. The process will take a minimum of 30 minutes (more for larger networks).

  7. Click Launch Homepage to open the Cisco DNA Center homepage.

    While Cisco DNA Center discovers your network's devices and enables telemetry, you can click the Explore link to open a page that provides pointers to product documentation and videos.

    A message appears at the top of the homepage to indicate when the Quick Start workflow has completed.

Integrate Cisco ISE with Cisco DNA Center

This release of Cisco DNA Center provides a mechanism to create a trusted communications link with Cisco ISE and permits Cisco DNA Center to share data with Cisco ISE in a secure manner. After Cisco ISE is registered with Cisco DNA Center, any device that Cisco DNA Center discovers, along with relevant configuration and other data, is pushed to Cisco ISE. Users can use Cisco DNA Center to discover devices and then apply both Cisco DNA Center and Cisco ISE functions to them because these devices are exposed in both applications. Cisco DNA Center and Cisco ISE devices are all uniquely identified by their device names.

As soon as they are provisioned and belong to a particular site in the Cisco DNA Center site hierarchy, Cisco DNA Center devices are pushed to Cisco ISE. Any updates to a Cisco DNA Center device (such as changes to IP address, SNMP or CLI credentials, Cisco ISE shared secret, and so on) will flow to the corresponding device instance on Cisco ISE automatically. Note that Cisco DNA Center devices are pushed to Cisco ISE only when these devices are associated with a particular site where Cisco ISE is configured as its AAA server.

Before you begin

Before attempting to integrate Cisco ISE with Cisco DNA Center, ensure that you have met the following prerequisites:

  • You have deployed one or more Cisco ISE version 2.3 (and later) hosts on your network. For information on installing Cisco ISE, see the Cisco Identity Services Engine Install and Upgrade guides for version 2.3 and later.

  • If you have a standalone Cisco ISE deployment, you must integrate with the Cisco ISE node and enable the pxGrid service and External RESTful Services (ERS) on that node.


    Note

    Cisco ISE 2.4 and later supports pxGrid 2.0 as well as pxGrid 1.0. Although pxGrid 2.0 allows up to four pxGrid nodes in the Cisco ISE deployment, Cisco DNA Center releases earlier than 2.2.1.x do not support more than two pxGrid nodes.

  • If you have a distributed Cisco ISE deployment:

    • You must integrate Cisco DNA Center with the Cisco ISE admin node, the primary Policy Administration node (PAN), and enable ERS on the primary PAN. You must also enable ERS in your secondary PAN. In the case of a primary PAN failover in Cisco ISE, if ERS is not enabled in the secondary PAN, the secondary PAN is not available to Cisco DNA Center. As a result, the connection between Cisco DNA Center and Cisco ISE is affected.


      Note

      As a best practice, use ERS through the PAN. But for backup, enable ERS on the Policy Service nodes (PSNs).

    • As with single-node deployments, you must enable the pxGrid service on one of the Cisco ISE nodes within the distributed deployment. Although you can choose to do so, you do not have to enable pxGrid on the PAN. You can enable pxGrid on any of the other Cisco ISE nodes in your distributed deployment.

    • The PSNs you configure in Cisco ISE to handle TrustSec/SD Access content and PACs must also be defined in Work Centers > Trustsec > Trustsec Servers > Trustsec AAA Servers. For more information, see the Segmentation document in the Administrator Workflow for your release of Cisco ISE.

  • You have enabled communication between Cisco DNA Center and Cisco ISE on the following ports: 22, 443, 5222, 8910, and 9060.

  • The Cisco ISE host on which pxGrid is enabled must be reachable from Cisco DNA Center on the IP address of the Cisco ISE eth0 interface.

  • The Cisco ISE node can reach the fabric underlay network via the appliance's NIC.

  • The Cisco ISE admin node certificate must contain the Cisco ISE IP address or FQDN in either the certificate subject name or the Subject Alternative Name (SAN).

  • The Cisco DNA Center system certificate must list both the Cisco DNA Center appliance IP address and FQDN in the SAN field.


    Note

    For Cisco ISE 2.4 Patch 13, 2.6 Patch 7, and 2.7 Patch 3, if you are using the Cisco ISE default self-signed certificate as the pxGrid certificate, Cisco ISE might reject that certificate after applying those patches. This is because the older versions of that certificate have the Netscape Cert Type extension specified as the SSL server, which now fails (because a client certificate is required).

    This issue does not occur in Cisco ISE 3.0 and later. For details and a suggested workaround, see the Cisco ISE Release Notes.

For more information about configuring Cisco ISE for Cisco DNA Center, see Integration with Cisco DNA Center in the Cisco ISE Administrators Guide.

Procedure

Step 1

Enable the Cisco ISE pxGrid service and ERS:

  1. Log in to the Cisco ISE primary policy administration node.

  2. Choose Administration > System > Deployment.

    The Deployment Nodes window opens.

  3. Click the hostname of the Cisco ISE node on which you want to enable pxGrid services.

    In a distributed deployment, this can be any Cisco ISE node in the deployment.

    The Edit Node window opens, with the General Settings tab selected by default.

  4. Ensure that the pxGrid check box is checked, then click Save.

  5. Choose Administration > System > Settings.

  6. From the left navigation pane, click ERS Settings to open the ERS Settings window.

  7. Click the Enable ERS for Read/Write radio button, then click OK in the notification prompt.

  8. Click Save.

Step 2

Add the Cisco ISE node to Cisco DNA Center as a AAA server:

  1. Log in to the Cisco DNA Center GUI.

  2. Click the Menu icon () and choose System > System 360.

  3. In the Identity Services Engine (ISE) pane, click the Configure link.

  4. From the Authentication and Policy Servers window, click Add and choose ISE from the drop-down list.

  5. Complete the following tasks in the Add AAA/ISE server slide-in pane:

    • In the Server IP Address field, enter the Cisco ISE management IP address.

    • Enter the Shared Secret used to secure communications between your network devices and Cisco ISE.

    • In the Username and Password fields, enter the corresponding Cisco ISE admin credentials.

    • Enter the FQDN for the Cisco ISE node.

    • (Optional) Enter the virtual IP address of the load balancer behind which the Cisco ISE PSNs are located. If you have multiple policy service node farms behind different load balancers, you can enter a maximum of six virtual IP addresses.

  6. Click Add.

The first time integration with Cisco ISE is initiated, you will see a notification that the certificate from Cisco ISE is not yet trusted.

  • You can view the certificate to see the details.

  • Choose Accept to trust the certificate and continue with the integration process. If you do not wish to trust the certificate and terminate the integration process, choose Decline.

After the integration completes successfully, a confirmation message is displayed.

If any problem is encountered in the integration process, a message is shown with details of the problem. An option to edit or retry is shown where possible.

  • If the error message says that the Cisco ISE Admin credentials are invalid, click Edit and re-enter the correct information.

  • If errors are found with certificates in the integration process, you must delete the Cisco ISE server entry and restart the integration from the beginning after the certificate issue has been resolved.

Step 3

Verify that Cisco DNA Center is connected to Cisco ISE, and that the Cisco ISE SGT groups and devices are being pushed to Cisco DNA Center:

  1. Log in to the Cisco DNA Center GUI.

  2. Click the Menu icon () and choose System > System 360.

  3. In the Identity Services Engine (ISE) pane, click the Update link.

  4. From the Authentication and Policy Servers window, verify that the status of the Cisco ISE AAA server is still Active.

Step 4

Verify that Cisco ISE is connected to Cisco DNA Center and that the connection has subscribers:

  1. Log in to the Cisco ISE nodes that are shown as pxGrid servers in the Cisco Identity Services Engine (ISE) Deployment window.

  2. Choose Administration > pxGrid Services and click the Web Clients tab.

    You should see two pxGrid clients in the list with the IP address of the Cisco DNA Center server.

Group-Based Access Control: Policy Data Migration and Synchronization

When You Start Using Cisco DNA Center

In earlier releases of Cisco DNA Center, the Group-Based Access Control policy function stored some policy Access Contracts and Policies locally in Cisco DNA Center. Cisco DNA Center also propagated that data to Cisco ISE. Cisco ISE provides the runtime policy services to the network, which includes group-based access control policy downloads to the network devices. Usually, the policy information in Cisco DNA Center matches the policy information in Cisco ISE. But it is possible that the data is not in sync; the data may not be consistent. Because of this, after installing or upgrading to Cisco DNA Center, the following steps are necessary before you can use the Group-Based Access Control capabilities.

  • Integrate Cisco ISE with Cisco DNA Center, if it is not already integrated.

  • Upgrade Cisco ISE, if the version is not the minimum required. See the Cisco DNA Center Release Notes for the required versions of Cisco ISE.

  • Perform Policy Migration and Synchronization.

What Is “Migration and Synchronization”?

Cisco DNA Center reads all the Group-Based Access Control policy data in the integrated Cisco ISE and compares that data with the policy data in Cisco DNA Center. If you upgraded from an earlier version, existing policy data is retained. You must synchronize the policies before you can manage Group-Based Access Control Policy in Cisco DNA Center.

How Does Migration and Synchronization Work?

Usually, the policy data in Cisco ISE and in Cisco DNA Center is consistent, so no special handling or conversion of data is necessary. Sometimes, when there are minor discrepancies or inconsistencies, only some of the data is converted during the migration. If there is a conflict, the data in Cisco ISE is given precedence, so as not to introduce changes in policy behavior in the network. The following list describes the actions taken during migration:

  • Scalable Groups: The Scalable Group Tag (SGT), which is a numeric value, uniquely identifies a Scalable Group. Cisco ISE Security Groups are compared to Scalable Groups in Cisco DNA Center.

    • When the Name and SGT value are the same, nothing is changed. The information in Cisco DNA Center is consistent with Cisco ISE and does not need to be changed.

    • When a Cisco ISE Security Group SGT value does not exist in Cisco DNA Center, a new Scalable Group is created in Cisco DNA Center. The new Scalable Group is given the default association of “Default_VN.”

    • When a Cisco ISE Security Group SGT value exists in Cisco DNA Center, but the names do not match, the name from Cisco ISE Security Group replaces the name of that Scalable Group in Cisco DNA Center.

    • When the Cisco ISE Security Group Name is the same, but the SGT value is different, the Security Group from Cisco ISE is migrated. It retains the name and tag value, and the Cisco DNA Center Scalable Group is renamed. A suffix of “_DNA” is added.

Contracts

All the SGACLs in Cisco ISE that are referenced by policies are compared to Contracts in Cisco DNA Center.

  • When the SGACL and Contract have the same name and content, there is no need for further action. The information in Cisco DNA Center is consistent with Cisco ISE and does not need to be changed.

    • When the SGACL and Contract have the same name, but the content is different, the SGACL content from Cisco ISE is migrated. The previous Contract content in Cisco DNA Center is discarded.

When the SGACL name does not exist in Cisco DNA Center, a new Contract with that name is created, and the SGACL content from Cisco ISE is migrated.


Note

When creating new Access Contracts based on Cisco ISE SGACL content, Cisco DNA Center parses the text command lines, and, where possible, renders these SGACL commands as a modeled Access Contract. Each ACE line renders as an “Advanced” application line. If a Cisco ISE SGACL contains text that cannot be parsed successfully, the text content of the SGACL is not converted into modeled format. It is stored as raw command line text. These SGACL text contracts may be edited, but no parsing or syntax checking of the text content is performed during migration.

Policies

A Policy is uniquely identified by a source group-destination group pair. All Cisco ISE TrustSec Egress Policy Matrix policies are compared to the policies in Cisco DNA Center.

  • When a policy for a source group-destination group references the same SGACL/Contract name in Cisco ISE, no changes are made.

  • When a policy for a source group-destination group references a different SGACL/Contract name in Cisco ISE, the Cisco ISE Contract name is referenced in the policy. This overwrites the previous Contract reference in Cisco DNA Center.

  • The Cisco ISE default policy is checked and migrated to Cisco DNA Center.


Note

Cisco DNA Center supports a single contract in access policies. Cisco ISE has an option to use multiple SGACLs in access policies, but this option is not enabled by default in Cisco ISE, and in general is not widely used. Existing SDA customers who have been using the previous release of Cisco DNA Center to manage Group-Based Access Control policy did not use this option.

If you enabled the option to allow multiple SGACLs on Cisco ISE and used this when creating policies, those policies cannot be migrated to Cisco DNA Center in this release. The specific policy features that make use of the “multiple SGACL” option and cannot be migrated are:

  • Multiple SGACLs in a policy.

  • Policy Level catch-all rules set to “Permit” or “Deny.” Only the value of “None” is currently supported for migration to Cisco DNA Center.

  • Default Policy set to use a customer-created SGACL, but only the standard values of “Permit IP,” “Permit_IP_Log,” “Deny IP,” and “Deny_IP_Log” are currently supported for migration to Cisco DNA Center.

If any of the preceding SGACLs are detected during the policy migration and synchronization operation, a notification is generated, and you must choose between the following options to continue:

  • Manage Group-Based Access Control policy in Cisco DNA Center: If this option is selected, all management of Group-Based Access Control Policy is done in Cisco DNA Center. The user interface screens in Cisco ISE for management of Cisco ISE Security Groups, SGACLs, and Egress Policies are available in Read-Only mode. If there were any issues migrating policies (due to use of multiple SGACLs in Cisco ISE), those policies have no contract selected in Cisco DNA Center. The policy uses the default policy, and you can select a new contract for those policies after completing the migration. If there was an problem migrating the default policy, the default policy is set to "Permit."

  • Manage Group-Based Access Control Policy in Cisco ISE: If this option is selected, Cisco DNA Center Group-Based Access Control policy management is inactive. No changes are made to Cisco ISE and there is no effect on policy enforcement in the network. Group-Based Access Control policy is managed in Cisco ISE at the TrustSec workcenter.

  • Manage Group-Based Access Control policy in both Cisco DNA Center and Cisco ISE: This option is not recommended for general use, because policy changes made in Cisco ISE are not synchronized with Cisco DNA Center. The two systems cannot be kept in sync. This option is intended as a short-term or interim option, and should only be considered when you enabled the “Allow Multiple SGACLs” option in Cisco ISE. Use this option if you need more time and flexibility updating Cisco ISE.

Configure Authentication and Policy Servers

Cisco DNA Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.

Before you begin

  • If you are using Cisco ISE to perform both policy and AAA functions, make sure that Cisco DNA Center and Cisco ISE are integrated as described in Integrate Cisco ISE With Cisco DNA Center.

  • If you are using another product (not Cisco ISE) to perform AAA functions, make sure that you do the following:

    • Register Cisco DNA Center with the AAA server, and define the shared secret on both the AAA server and Cisco DNA Center.

    • Define an attribute name for Cisco DNA Center on the AAA server.

    • For a Cisco DNA Center multihost cluster configuration, define all the individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > External Services > Authentication and Policy Servers.

Step 2

Click .

Step 3

Configure the primary AAA server by providing the following information:

  • Server IP Address: IP address of the AAA server.

  • Shared Secret: Key for device authentications. The shared secret can be up to 128 characters in length.

Step 4

To configure an AAA server (except Cisco ISE), leave the Cisco ISE Server slider in the Off position and proceed to Step 5.

To configure a Cisco ISE server, click the Cisco ISE server slider to move it to the On position and enter information in the following fields:

  • Username—Name that is used to log in to Cisco ISE CLI.

    Note 

    This user must be a Super Admin.

  • Password—Password for the Cisco ISE CLI username.

  • FQDN—FQDN of the Cisco ISE server.

    Note 

    • We recommend that you copy the FQDN that is defined in Cisco ISE (Administration > Deployment > Deployment Nodes > List) and paste it directly into this field.

    • The FQDN that you enter must match the FQDN, Common Name (CN), or Subject Alternative Name (SAN) defined in the Cisco ISE certificate.

    The FQDN consists of two parts, a hostname and a domain name, in the following format:

    hostname.domainname.com.

    For example, the FQDN for a Cisco ISE server might be ise.cisco.com.

  • Subscriber Name—Unique text string that identifies a pxGrid client registering for Cisco ISE pxGrid services; for example, acme. The subscriber name is used during Cisco DNA Center-to-Cisco ISE integration.

  • (Optional) SSH Key—Diffie-Hellman-Group14-SHA1 SSH key used to connect to Cisco ISE.

  • (Optional) Virtual IP Address(es)—Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes are located. If you have multiple policy service node farms behind different load balancers, you can enter a maximum of six virtual IP addresses.

Note 

If the status of the configured ISE server is "FAILED" due to password change, click Retry, and update the password to resync the ISE connectivity.

Step 5

Click the Advanced Settings slider to move it to the On position and configure the following settings:

Note 

The settings you need to configure will vary, depending on the protocol you set for the server.

  • Protocol: RADIUS is set by default, but you can choose TACACS instead or choose both protocols.

    Attention 

    If you do not choose TACACS for Cisco ISE servers, it will not be available when you configure Cisco ISE nodes.

  • Authentication Port: Port used by RADIUS to relay authentication messages to the AAA server. The default is UDP port 1812.

  • Accounting Port: Port used by RADIUS to relay important events to the AAA server. The information in these events is used for security and billing purposes. The default UDP port is 1813.

  • Port: Port used by TACACS to communicate with the AAA server. The default port is 49.

  • Retries: Number of times that Cisco DNA Center attempts to connect with the AAA server before abandoning the attempt to connect. The default number of attempts is 3.

  • Timeout: Length of time the device waits for the AAA server to respond before abandoning the attempt to connect. The default timeout is 4 seconds.

Step 6

Click Apply.

Step 7

To add a secondary server, repeat Step 2 through Step 6.

Configure SNMP Properties

You can configure the retry and timeout values for SNMP.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see the Cisco DNA Center Administrator Guide.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Device Settings > SNMP.

Step 2

Configure the following fields:

  • Retries: Number of attempts allowed to connect to the device. Valid values are from 1 to 3. The default is 3.

  • Timeout (in Seconds): Number of seconds Cisco DNA Center waits when trying to establish a connection with a device before timing out. Valid values are from 1 to 300 seconds, in intervals of 5 seconds. The default is 5 seconds.

Step 3

Click Save.

Note 

To return to the default settings, click Reset and Save.