Security Hardening Overview
Cisco Digital Network Architecture (Cisco DNA) Center is a highly advanced and capable enterprise controller for the Cisco network platform. As one of the most critical infrastructure components of enterprise networks, Cisco DNA Center must be deployed securely. This guide explains the best practices that must be followed to ensure a secure deployment. To mitigate possible security risks, if any, you must carefully evaluate the multilayered security considerations for Cisco DNA Center in your network infrastructure, and take the necessary actions recommended in this guide.
![]() Note |
This guide is updated on a regular basis when new security features are introduced in Cisco DNA Center. We recommend that you bookmark this guide and download the latest version from cisco.com. |
Cisco DNA Center Hardening Steps
Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices that it monitors and manages. You must clearly understand and configure the security features correctly. We strongly recommend that you follow these security recommendations:
-
Deploy Cisco DNA Center in a private internal network and behind a firewall that does not expose Cisco DNA Center to an untrusted network, such as the internet.
-
If you have separate management and enterprise networks, connect Cisco DNA Center's management and enterprise interfaces to your management and enterprise networks, respectively. Doing so ensures network isolation between the services used to administer and manage Cisco DNA Center and the services used to communicate with and manage your network devices.
-
If deploying Cisco DNA Center in a three-node cluster setup, verify that the cluster interfaces are connected in an isolated network.
-
Upgrade Cisco DNA Center with critical upgrades, including security patches, as soon as possible after a patch announcement. For more information, see the Cisco DNA Center Upgrade Guide.
-
Restrict the remote URLs accessed by Cisco DNA Center using an HTTPS proxy server. Cisco DNA Center is configured to access the internet to download software updates, licenses, and device software, as well as provide up-to-date map information, user feedback, and so on. Providing internet connections for these purposes is a mandatory requirement. However, provide connections securely through an HTTPS proxy server. For more information, see Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names.
-
Restrict the ingress and egress management and enterprise network connections to and from Cisco DNA Center using a firewall, by only allowing known IP addresses and ranges and blocking network connections to unused ports. For more information, see Communication Ports.
-
Replace the self-signed server certificate from Cisco DNA Center with the certificate signed by your internal certificate authority (CA).
-
If possible, disable SFTP Compatibility Mode in your network environment. This mode allows legacy network devices to connect to Cisco DNA Center using older cipher suites. For more information, see Disable SFTP Compatibility Mode.
-
Disable the browser-based appliance configuration wizard, which comes with a self-signed certificate. For more information, see Browser-Based Appliance Configuration Wizard.
-
Upgrade the minimum TLS version. Cisco DNA Center comes with TLSv1.1 and TLSv1.2 enabled by default, and we recommend that you set the minimum TLS version to 1.2 if possible, in your network environment. For more information, see Change the Minimum TLS Version and Enable RC4-SHA (Not Secure).
User Role Considerations
Users are assigned roles that control access to the functions that they are permitted to perform.
Cisco DNA Center supports the following user roles. For more information, see "About User Roles" and "Create Local Users" in the Cisco DNA Center Administrator Guide.
-
Administrator (SUPER-ADMIN-ROLE): Users with this role have full access to all Cisco DNA Center functions. They can create other user profiles with various roles, including those with the SUPER-ADMIN-ROLE. Restrict the number of users with this role.
-
Network Administrator (NETWORK-ADMIN-ROLE): Users with this role have full access to all of the network-related Cisco DNA Center functions. However, they do not have access to system-related functions, such as backup and restore.
-
Observer (OBSERVER-ROLE): Users with this role have view-only access to Cisco DNA Center functions. Users with an observer role cannot access any functions that configure or control Cisco DNA Center or the devices it manages.
In addition to the above preconfigured user roles, Cisco DNA Center also supports the creation of user roles with a custom fine-grained access policy, which allows the creation of custom roles to permit or restrict user access to certain Cisco DNA Center functions. For more information, see "Configure Role Based Access Control' in the Cisco DNA Center Administrator Guide.
![]() Note |
We strongly recommend that you restrict the number of users with the Administrator role because administrators have control over the configuration of critical functions. |
Cisco DNA Center can use Cisco Identity Services Engine (ISE) or other authentication, authorization, and accounting (AAA) servers for user authentication. For more information, see "Configure Authentication and Policy Servers" in the Cisco DNA Center Administrator Guide.
Secure Your Cisco DNA Center Deployment
Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices that it monitors and manages. We strongly recommend that you place Cisco DNA Center and Cisco ISE behind a firewall in either a local data center (head of campus) or remote data center as shown here.

To access Cisco DNA Center through the GUI and to enable Cisco DNA Center to interact with network devices, specific ports must be configured on the firewall. Cisco DNA Center integrates with the cloud and is distributed across the globe for practical latency requirements.

Communication Ports
Security Recommendations:
-
Deploy a firewall between Cisco DNA Center and the management or enterprise network for a defensive, in-depth approach to secure the Cisco DNA Center deployment.
-
Open the ports with specific IP addresses or ranges.
The following table lists the ports that Cisco DNA Center uses, the names of the services communicating over these ports, and the product’s purpose in using them. The Recommended Action column indicates whether you can restrict network traffic to known IP addresses or ranges, or block network connections to or from a Cisco DNA Center port or service without affecting the functionality of Cisco DNA Center, or whether you must leave the port open.
Some destination ports in Cisco DNA Center are duplicated. The subsections call out the usage and related network service. You can limit the source or destination IP addresses or ranges in the firewall rules or choose not to open the port if the service is not used in your Cisco DNA Center deployment.
Port | Service Name | Purpose | Recommended Action | ||||
---|---|---|---|---|---|---|---|
Administering or Configuring Cisco DNA Center |
|||||||
TCP 443 |
UI, REST, HTTPS |
GUI, REST, HTTPS management port. |
Port must be open. |
||||
TCP 2222 |
Cisco DNA Center shell |
Connect to the Cisco DNA Center shell. |
Port must be open. Restrict the known IP address to be the source. |
||||
TCP 9004 |
Web UI installation |
Serves the GUI based installation page (required only if you choose to install Cisco DNA Center using the web-based option). |
Port must be open until the installation of the node is complete. |
||||
TCP 9005 |
Web UI installation API service |
Serves the API for the web-based installation (connected by the browser client from port 9004; no external agent requires access). |
Port must be open until the cluster formation is complete. |
||||
Administering or Configuring Cisco IMC |
|||||||
TCP 22 | Cisco DNA Center shell | Connects to the Cisco DNA Center shell. | Port must be open. Configure the known IP address as the source. | ||||
UDP and TCP 53 | DNS | Used to resolve a DNS name to an IP address. | Port must be open if DNS names are used instead of IP addresses for other services (such as an NTP DNS name). | ||||
UDP and TCP 389 | LDAP | Cisco IMC user management LDAP. | Optional if external user authentication via LDAP is needed. | ||||
TCP 443 | UI, REST, HTTPS | Web UI, REST, HTTPS management port. | Port must be open. | ||||
UDP and TCP 636 | LDAPS | Cisco IMC user management via LDAP over SSL. | Optional if external user authentication via LDAPS is needed. | ||||
TCP 2068 | HTTPS | Remote KVM console redirect port. | Port must be open until installation of the node is complete. | ||||
UDP 123 | NTP | Synchronize the time with an NTP server. | Port must be open. | ||||
UDP 161 | SNMP Polling/Config | SNMP server polling and configurations. | Optional for SNMP server polling and configurations. | ||||
UDP 162 | SNMP Traps | Send SNMP traps to an external SNMP server. | Optional for a SNMP server collector. | ||||
UDP 514 | Syslog | View faults and logs on an external server. | Optional for sending message logs to an external server. | ||||
Cisco DNA Center Outbound to Device and Other Systems | |||||||
— |
ICMP |
Cisco DNA Center uses ICMP messages to discover network devices and troubleshoot network connectivity issues. |
Enable ICMP. |
||||
TCP 22 |
SSH |
Cisco DNA Center uses SSH to connect to network devices so that it can:
Cisco DNA Center also uses SSH to connect to and complete initial integration with Cisco ISE. |
SSH must be open between Cisco DNA Center and the following:
|
||||
TCP 23 |
Telnet |
We strongly discourage the use of Telnet. Note that although Telnet is discouraged, Cisco DNA Center can use Telnet to connect to devices in order to read the device configuration for discovery, and make configuration changes. |
Telnet can be used for device management, but we do not recommend it because Telnet does not offer security mechanisms such as SSH. |
||||
TCP 49 |
TACACS+ |
Needed only if you are using external authentication such as Cisco ISE with a TACACS+ server. |
Port must be open only if you are using external authentication with a TACACS+ server. |
||||
TCP 80 |
HTTP |
Cisco DNA Center uses HTTP for trust pool updates. |
To access Cisco-supported trust pools, configure your network to allow outgoing traffic from the appliance to the following URL: |
||||
UDP 53 |
DNS |
Cisco DNA Center uses DNS to resolve hostnames. |
Port must be open for DNS hostname resolution. |
||||
UDP 123 |
NTP |
Cisco DNA Center uses NTP to synchronize the time from the source that you specify. |
Port must be open for time synchronization. |
||||
UDP 161 |
SNMP |
Cisco DNA Center uses SNMP to discover network devices; to read device inventory details, including device type; and for telemetry data purposes, including CPU and RAM. |
Port must be open for network device management and discovery. |
||||
TCP 443 |
HTTPS |
Cisco DNA Center uses HTTPS for cloud-tethered upgrades. |
Port must be open for cloud tethering, telemetry, and software upgrades. |
||||
TCP 830 |
NETCONF |
Cisco DNA Center uses NETCONF for device inventory, discovery, and configuration. |
Port must be open for network device management and discovery of devices that support NETCONF. |
||||
UDP 1645 or 1812 |
RADIUS |
Needed only if you are using external authentication with a RADIUS server. |
Port must be open only if an external RADIUS server is used to authenticate user login to Cisco DNA Center. |
||||
TCP 5222, 8910 |
Cisco ISE |
Cisco DNA Center uses Cisco ISE XMP for PxGrid. |
Port must be open for Cisco ISE. |
||||
TCP 9060 |
Cisco ISE |
Cisco DNA Center uses Cisco ISE ERS API traffic. |
Port must be open for Cisco ISE. |
||||
Device to Cisco DNA Center | |||||||
— |
ICMP |
Devices use ICMP messages to communicate network connectivity issues. |
Enable ICMP. |
||||
TCP 22, 80, 443 |
HTTPS, SFTP, HTTP |
Software image download from Cisco DNA Center through HTTPS:443, SFTP:22, HTTP:80. Certificate download from Cisco DNA Center through HTTPS:443, HTTP:80 (Cisco 9800 Wireless Controller, PnP), Sensor/Telemetry.
|
Ensure that firewall rules limit the source IP of the hosts or network devices allowed to access Cisco DNA Center on these ports.
|
||||
UDP 123 |
NTP |
Devices use NTP for time synchronization. |
Port must be open to allow devices to synchronize the time. |
||||
UDP 162 |
SNMP |
Cisco DNA Center receives SNMP network telemetry from devices. |
Port must be open for data analytics based on SNMP. |
||||
UDP 514 |
Syslog |
Cisco DNA Center receives syslog messages from devices. |
Port must be open for data analytics based on syslog. |
||||
UDP 6007 |
NetFlow |
Cisco DNA Center receives NetFlow network telemetry from devices. |
Port must be open for data analytics based on NetFlow. |
||||
TCP 9991 |
Wide Area Bonjour Service |
Cisco DNA Center receives multicast Domain Name System (mDNS) traffic from the Service Discovery Gateway (SDG) agents using the Bonjour Control Protocol. |
Port must be open on Cisco DNA Center if the Bonjour application is installed. |
||||
UDP 21730 |
Application Visibility Service |
Application Visibility Service CBAR device communication. |
Port must be open when CBAR is enabled on a network device. |
||||
TCP 25103 |
Cisco 9800 Wireless Controller and Cisco Catalyst 9000 switches with streaming telemetry enabled |
Used for telemetry. |
Port must be open for telemetry connections between Cisco DNA Center and Catalyst 9000 devices. |
||||
TCP 32626 |
Intelligent Capture (gRPC) collector |
Used for receiving traffic statistics and packet - capture data used by the Cisco DNA Assurance Intelligent Capture (gRPC) feature. |
Port must be open if you are using the Cisco DNA Assurance Intelligent Capture (gRPC) feature. |
Enable Cisco DNA Center Disaster Recovery
Cisco DNA Center provides a mechanism to recover from a Cisco DNA Center cluster loss (or a data center loss) and maintain operational continuity. This is achieved through the Disaster Recovery application of Cisco DNA Center, which replicates all the essential data from the main Cisco DNA Center cluster to a second standby (recovery) Cisco DNA Center cluster.
Security Recommendation: We recommend that you enable Cisco DNA Center's Disaster Recovery Service, to recover from a Cisco DNA Center cluster loss (or a data center loss) and maintain operational continuity.
The Cisco DNA Center recovery cluster contains all the essential data (Mongodb, Postgresql, credentials and certificates, file service) replicated from the main Cisco DNA Center cluster, and takes over control in case the main Cisco DNA Center cluster is lost. For more information, see "Configure Disaster Recovery" in the Cisco DNA Center Administrator Guide.
![]() Note |
Disaster recovery uses IPsec tunneling to secure network traffic between disaster recovery systems (main, recovery, and witness). Authentication to set up the IPsec tunneling between disaster recovery systems is done through certificate-based authentication (OpenSSL certificates). For the key-exchange phase of the IPsec protocol, IPsec tunneling uses the secure and robust IKE2 protocol. |
Use a separate certificate (as from Cisco DNA Center system certificate for HTTPS connections) for Disaster Recovery. For more information, see "Add Disaster Recovery Certificate" in the Cisco DNA Center Administrator Guide.
Disaster Recovery Ports
If you are using disaster recovery in your production environment, see the following table to plan the firewall and security policies you'll use to secure your disaster recovery setup. Ensure that the ports listed here are open so that Cisco DNA Center has the access it requires to set up disaster recovery across your network's data centers.
Source Port | Source | Destination Port | Destination | Description | ||
---|---|---|---|---|---|---|
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 443 |
Cisco DNA Center Enterprise VIP |
REST API Access |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
UDP 500 |
Cisco DNA Center Enterprise VIP |
IPSec tunnel |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 873 |
Cisco DNA Center Enterprise VIP |
Replication of GlusterFS data through rsync |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
UDP 4500 |
Cisco DNA Center Enterprise VIP |
IPSec tunnel |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 8300 |
Cisco DNA Center Enterprise VIP |
Consul RPC communication |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 8301 |
Cisco DNA Center Enterprise VIP |
Consul SERF LAN port |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
UDP 8301 |
Cisco DNA Center Enterprise VIP |
Consul SERF LAN port |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 8302 |
Cisco DNA Center Enterprise VIP |
Consul SERF WAN port1 |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
UDP 8302 |
Cisco DNA Center Enterprise VIP |
Consul SERF WAN port1 |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 8443 |
Cisco DNA Center Enterprise VIP |
HA proxy API access 2 |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 31000 |
Cisco DNA Center Enterprise VIP |
Postgres replication |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 31001 |
Cisco DNA Center Enterprise VIP |
Postgres replication |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 31002 |
Cisco DNA Center Enterprise VIP |
Credential Manager replication |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 31003 |
Cisco DNA Center Enterprise VIP |
MongoDB replication |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 31004 |
Cisco DNA Center Enterprise VIP |
MongoDB replication |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
UDP 500 |
Witness IP |
IPSec tunnel |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 2222 |
Witness IP |
TCP ping for witness reachability |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
UDP 4500 |
Witness IP |
IPSec tunnel |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 8300 |
Witness IP |
Consul RPC communication |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 8301 |
Witness IP |
Consul SERF LAN port |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
UDP 8301 |
Witness IP |
Consul SERF LAN port |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 8302 |
Witness IP |
Consul SERF WAN port1 |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
UDP 8302 |
Witness IP |
Consul SERF WAN port1 |
||
Any |
Cisco DNA Center Enterprise IP/VIP |
TCP 8443 |
Witness IP |
HA proxy API access 2 |
||
Any |
Cisco DNA Center Enterprise/ Management VIP |
TCP 179 |
Neighbor router |
BGP session with neighbor router
|
||
Any |
Witness IP |
UDP 53 |
DNS Server |
From witness to DNS server |
||
Any |
Witness IP |
UDP 123 |
NTP Server |
From witness to NTP server |
||
Any |
Witness IP |
TCP 443 |
Cisco DNA Center Enterprise VIP |
Access APIs during disaster recovery registration |
||
Any |
Witness IP |
UDP 500 |
Cisco DNA Center Enterprise VIP |
IPSec tunnel |
||
Any |
Witness IP |
UDP 4500 |
Cisco DNA Center Enterprise VIP |
IPSec tunnel |
||
Any |
Witness IP |
TCP 8300 |
Cisco DNA Center Enterprise VIP |
Consul RPC communication |
||
Any |
Witness IP |
TCP 8301 |
Cisco DNA Center Enterprise VIP |
Consul SERF LAN port |
||
Any |
Witness IP |
UDP 8301 |
Cisco DNA Center Enterprise VIP |
Consul SERF LAN port |
||
Any |
Witness IP |
TCP 8302 |
Cisco DNA Center Enterprise VIP |
Consul SERF WAN port1 |
||
Any |
Witness IP |
UDP 8302 |
Cisco DNA Center Enterprise VIP |
Consul SERF WAN port1 |
||
Any |
Witness IP |
TCP 8443 |
Cisco DNA Center Enterprise VIP |
HA proxy API access 2 |
Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names
Security Recommendation: We recommend that you allow secure access only to URLs and Fully Qualified Domain Names required by Cisco DNA Center, through an HTTP(s) proxy.
For more information, see "Required Internet URLs and Fully Qualified Domain Names" and "Provide Secure Access to the Internet" sections in the latest Cisco DNA Center Second-Generation Appliance Installation Guide.
Secure the Management Interface
If you are using Cisco Integrated Management Controller (IMC), the first security action to perform on the Cisco DNA Center appliance is to secure the out-of-band management interface (Cisco IMC) account. Change the default password of the admin account to a stronger value as per the password policy. See "Enable Browser Access to Cisco IMC" in the Cisco DNA Center Appliance Installation Guide and "Configure External Authentication" in the Cisco DNA Center Administrator Guide.
![]() Note |
You must secure the password of Maglev CLI users with super admin access. For details, see "Configure the Primary Node" in the Cisco DNA Center Appliance Installation Guide. |
Rate Limit IP Traffic to an Interface
Security Recommendation: We recommend that you rate limit the incoming IP traffic to Cisco DNA Center from your network devices.
By default, Cisco DNA Center does not rate limit IP traffic to its interfaces. However, we recommend that you rate limit the incoming IP traffic from a specific source IP or all the traffic to a Cisco DNA Center interface (from a specific source IP or all the traffic) for protecting against DoS/DDoS attacks from internal network threats.
Before you begin
You must have maglev SSH access privileges to perform this procedure.
Procedure
Step 1 |
Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard. The IP address that you must enter for the SSH client is the one you configured for the network adapter. This IP address connects the appliance to the external network. |
||
Step 2 |
When prompted, enter your username and password for SSH access. |
||
Step 3 |
Enter the following command to restrict the incoming traffic from a specific source:
|
||
Step 4 |
Log out of the Cisco DNA Center appliance. |
Change the Minimum TLS Version and Enable RC4-SHA (Not Secure)
Security Recommendation: We recommend that you upgrade the minimum TLS version to TLSv1.2 for incoming TLS connections to Cisco DNA Center.
Northbound REST API requests from an external network, such as northbound REST API-based apps, browsers, and network devices connecting to Cisco DNA Center using HTTPS are made secure using the Transport Layer Security (TLS) protocol.
By default, Cisco DNA Center supports TLSv1.1 and TLSv1.2, and does not support RC4 ciphers for SSL/TLS connections. Since RC4 ciphers have well known weaknesses, we recommend that you upgrade the minimum TLS version to TLSv1.2 if your network devices support it.
Cisco DNA Center provides a configuration option to downgrade the minimum TLS version and enable RC4-SHA if your network devices under Cisco DNA Center control cannot support the existing minimum TLS version (TLSv1.1) or ciphers. For security reasons, however, we recommend that you do not downgrade Cisco DNA Center TLS version or enable RC4-SHA ciphers.
To change the TLS version or enable RC4-SHA for Cisco DNA Center, log in to the corresponding appliance and use the CLI.
![]() Note |
CLI commands can change from one release to the next. The following CLI example uses command syntax that might not apply to all Cisco DNA Center releases. |
Before you begin
You must have maglev SSH access privileges to perform this procedure.
![]() Note |
This security feature applies to port 443 on Cisco DNA Center. Performing this procedure may disable traffic on the port to the Cisco DNA Center infrastructure for a few seconds. For this reason, you should configure TLS infrequently and only during off-peak hours or during a maintenance period. |
Procedure
Step 1 |
Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard. The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This IP address connects the appliance to the external network. |
||
Step 2 |
When prompted, enter your username and password for SSH access. |
||
Step 3 |
Enter the following command to check the TLS version currently enabled on the cluster. The following is an example:
|
||
Step 4 |
If you want to change the TLS version on the cluster, enter the following commands. For example, you might want to change the current TLS version to an earlier version if your network devices under Cisco DNA Center control cannot support the existing TLS version. The following example shows how to change from TLS Version 1.1 to 1.0:
The following example shows how to change from TLS Version 1.1 to 1.2 (only allowed if you haven't enabled RC4-SHA):
|
||
Step 5 |
If you want to change the TLS version for streaming telemetry connections between Cisco DNA Center and Catalyst 9000 devices (via the TCP 25103 port), enter the following command. For example, you might want to change the current TLS version if the network devices Cisco DNA Center manages can support TLS version 1.2. The following example shows how to change from TLS Version 1.1 to 1.2:
|
||
Step 6 |
Enter the following command to enable RC4-SHA on a cluster (not secure; proceed only if needed). Enabling RC4-SHA ciphers is not supported when TLS Version 1.2 is the minimum version. The following example shows TLS version 1.2 is not enabled:
|
||
Step 7 |
Enter the following command at the prompt to confirm that TLS and RC4-SHA are configured. The following is an example:
|
||
Step 8 |
To disable the RC4-SHA ciphers that you enabled previously, enter the following command on the cluster:
|
||
Step 9 |
Log out of the Cisco DNA Center appliance. |
Use of OCSP and CRL for HTTPS Connections by Cisco DNA Center
Cisco DNA Center uses Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) to confirm that a remote certificate is not revoked.
Procedure
Step 1 |
Cisco DNA Center checks for OCSP. If a valid OCSP URI or URL is present in the Authority Information Access (AIA) field of the certificate, Cisco DNA Center sends an OCSP request to the URI or URL to validate its revocation status.
|
||
Step 2 |
Cisco DNA Center checks for CRL. If the certificate includes the CRL Distribute Points field, and that field has at least one entry with a valid CRL URI or URL, Cisco DNA Center downloads the CRL from the URI or URL, and validates the certificate against the downloaded CRL.
|
Manage Credentials and Passwords
Cluster Password
Cisco DNA Center supports cluster formation with three nodes. For efficiency and security, we recommend the following:
-
The cluster should be created with dedicated separated interfaces for connecting to the enterprise network, forming an intracluster network, and connecting to a dedicated management network.
-
The intracluster network is created as an isolated Layer 2 segment and not connected or routed through any other network segments.
-
You should not reuse passwords (Cisco IMC or SSH) across the Cisco DNA Center cluster members.
SSH or Maglev Password Recovery
You must secure the SSH password. Share the SSH password only with the super admin. Cisco DNA Center does not provide the functionality to recover the SSH password.
SSH Account Lockout and Recovery
After six consecutive failed login attempts over SSH, the maglev account will be temporarily locked for five minutes from the time of last failed attempt. During this lockout period, login attempts with the correct password will also fail, and be counted as a failed login. The account will be unlocked for SSH login only after five minutes of no login activity. However, login using the Cisco IMC console will continue to work even during the lockout period. The administrator can enable SSH login during the lockout period, by executing the following command in the Linux shell:
sudo pam_tally2 --reset
Web UI Password Recovery
If a web UI user's password is lost, the password can be reset using the command-line shell, which requires SSH or console access. See "Reset a Forgotten Password" in the Cisco DNA Center Administrator Guide.
Password Encryption
By default, Cisco DNA Center's pluggable authentication module (PAM) uses the SHA-512 hashing algorithm to store and hash local user account passwords (the strongest method available for UNIX-based systems). No user-configurable action is available for Cisco DNA Center’s password encryption mechanism.
Logs and Database Management
System logs are available to the operating system administrator user with escalated privileges (sudo access). The application logs are stored in Elasticsearch, and can be accessed through the web UI after authentication. The databases are protected by credentials, which are randomly generated during installation, and securely passed to the applications that need database access. No user-configurable action is available to change these settings.
Communication Protocol Payload Encryption
In clustered mode, Cisco DNA Center nodes communicate with each other through the intracluster network. No separate encryption is applied to the intracluster traffic. It is important to keep the intracluster network isolated.
![]() Note |
Services that exchange sensitive data among themselves use HTTPS. |
Change Web UI Users and Linux or Maglev User Password
Security Recommendation: We recommend that you regularly change Cisco DNA Center GUI user passwords and Maglev user password.
Procedure
Step 1 |
To change the Linux or Maglev user password, do the following: |
Step 2 |
For changing the GUI user password, do the following: Note that only you can change the password that you enter to log in to Cisco DNA Center. Even a user with administrator privileges cannot change a user's password. If an administrator needs to change a user's password, they must delete and re-add the user, using a new password.
|
Manage Certificates
Default Certificates
Security Recommendation: We recommend that you change the default Cisco DNA Center TLS certificate with a certificate signed by your internal certificate authority.
By default, Cisco DNA Center uses self-signed certificates. Cisco DNA Center manages the devices using the devices' self-signed certificates, unless otherwise deployed. We strongly recommend that you use a certificate signed by your internal certificate authority during deployment.
![]() Note |
Changing the Cisco DNA Center certificate from either self-signed to certificate-signed by your internal CA or from root CA to subordinate CA disrupts network operations. When this happens, network devices need to establish trust with the new CA before connections can be established. The devices will then be automatically reprovisioned with the new CA using device controllability. Existing connections that have already been established are not impacted. However, if a connection is lost for some reason (such as a power outage or reboot), network devices will need to establish trust with the new CA before connections can be established. As a result, we strongly recommend that you upgrade certificates before you begin the deployment. |
Certificate and Private Key Support
Cisco DNA Center supports the PKI Certificate Management feature, which is used to authenticate sessions (HTTPS). These sessions use commonly recognized trusted agents called CAs. Cisco DNA Center uses the PKI Certificate Management feature to import, store, and manage X.509 certificates from your internal CA. The imported certificate becomes an identity certificate for Cisco DNA Center, and Cisco DNA Center presents this certificate to its clients for authentication. The clients are the northbound API applications and network devices.
You can import the following files (in either PEM or PKCS file format) using the Cisco DNA Center GUI:
-
X.509 certificate
-
Private key
![]() Note |
For the private key, Cisco DNA Center supports the import of RSA keys. Keep the private key secure in your own key management system. The private key must have a minimum modulus size of 2048 bits. With Cisco DNA Center 2.3.4.x and earlier, do not import DSA, DH, ECDH, and ECDSA key types, because they are not supported. Cisco DNA Center 2.3.4.x and earlier does not support any form of ECDH and ECDSA, which includes any leaf certificate tied to the certificate chain. Cisco DNA Center 2.3.5 and later supports all key types. |
Prior to import, you must obtain a valid X.509 certificate and private key issued by your internal CA and the certificate must correspond to a private key in your possession. After import, the security functionality based on the X.509 certificate and private key is automatically activated. Cisco DNA Center presents the certificate to any device or application that requests it. Northbound API applications and network devices can use these credentials to establish a trust relationship with Cisco DNA Center.
![]() Note |
We recommend that you do not use and import a self-signed certificate to Cisco DNA Center. We recommend that you import a valid X.509 certificate from your internal CA. Additionally, you must replace the self-signed certificate (installed in Cisco DNA Center by default) with a certificate that is signed by your internal CA for the Plug and Play functionality to work correctly. |
Cisco DNA Center supports only one imported X.509 certificate and private key at a time. When you import a second certificate and private key, the latter overwrites the first (existing) imported certificate and private key values.
Certificate Chain Support
Cisco DNA Center is able to import certificates and private keys through its GUI. If subordinate certificates are involved in a certificate chain, leading to the certificate that is to be imported into Cisco DNA Center (signed certificate), both the subordinate certificates as well as the root certificate of these subordinate CAs must be appended together into a single file in order to be imported. When appending these certificates, you must append them in the same order as the actual chain of certification.
The following certificates should be pasted together into a single PEM file. Review the certificate subject name and issuer to ensure that the correct certificates are being imported and correct order is maintained. Ensure that all of the certificates in the chain are pasted together.
-
Signed Cisco DNA Center certificate: Its Subject field includes CN=<FQDN of Cisco DNA Center>, and the issuer has the CN of the issuing authority.
Note
If you install a third-party certificate, ensure that the certificate specifies all of the DNS names (including the Cisco DNA Center FQDN) that are used to access Cisco DNA Center in the alt_names section. For more information, see Step 3 in Generate a Certificate Request Using Open SSL.
-
Issuing (subordinate) CA certificate that issues the Cisco DNA Center certificate: Its Subject field has CN of the (subordinate) CA that issues the Cisco DNA Center certificate, and the issuer is that of the root CA.
-
Next issuing (root/subordinate CA) certificate that issues the subordinate CA certificate: Its Subject field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, you must append the next issuer, and so on.
Generate a Certificate Request Using Open SSL
Procedure
Step 1 |
Use an SSH client to log in to the Cisco DNA Center cluster and create a temporary folder under /home/maglev, for example, by entering the mkdir tls-cert;cd tls-cert command while in the home directory. |
||||||||
Step 2 |
Before proceeding further, ensure that the Cisco DNA Center hostname (FQDN) is set during Cisco DNA Center configuration by entering the maglev cluster network display command. You must have root privileges to run this command:
If the cluster_hostname output field is empty or is not what you want, add or change the Cisco DNA Center hostname (FQDN) by entering the sudo maglev-config update command, as shown in the following example. You must have root privileges to run this command.
Click Next until you see the step titled MAGLEV CLUSTER DETAILS containing the input prompt Cluster's hostname. Set the hostname to the desired Cisco DNA Center FQDN. Click Next and Proceed until Cisco DNA Center is reconfigured with the new FQDN. |
||||||||
Step 3 |
Using a text editor of your choice, create a file named openssl.cnf and upload it to the directory that you created in the preceding step. Use the following example as your guide, but adjust it to fit your deployment:
Example of openssl.cnf (applicable for Cisco DNA Center versions 2.1.1 and later, without LAN automation support)
Example of openssl.cnf (applicable for Cisco DNA Center versions earlier than 2.1.1, and Cisco DNA Center versions 2.1.1 onwards if you plan to use LAN automation)
|
||||||||
Step 4 |
Enter the following command to create a private key. Adjust the key length to 2048 if required by your certificate authority admin team.
|
||||||||
Step 5 |
After populating the fields in the openssl.cnf file, use the private key that you created in the preceding step to generate the Certificate Signing Request:
|
||||||||
Step 6 |
Verify the Certificate Signing Request content and ensure that the DNS names (and IP addresses for Cisco DNA Center version earlier than 2.1.1) are populated correctly in the subjectAltName field..
|
||||||||
Step 7 |
Copy the Certificate Signing Request and paste it to a CA, for example, MS CA: ![]() Ensure that the certificate template you choose is configured for both client and server authentication (as illustrated in the extendedKeyUsage line in Step 2's openssl.cnf file example). |
||||||||
Step 8 |
Proceed to gather the issued certificate and its issuer CA chain. |
||||||||
Step 9 |
If the certificate issuer provides the certificate full chain (server and CA) in p7b, do the following: |
||||||||
Step 10 |
If the certificate issuer provides the certificate and its issuer CA chain in loose files, do the following: |
||||||||
Step 11 |
Copy the dnac-chain.pem file generated in the Cisco DNA Center cluster to your local system. |
||||||||
Step 12 |
Click the menu icon ( |
||||||||
Step 13 |
Click Replace Certificate. |
||||||||
Step 14 |
In the Certificate area, click the PEM radio button and perform the following tasks. |
||||||||
Step 15 |
Click Upload/Activate. |
Update the Cisco DNA Center Server Certificate
Cisco DNA Center supports the import and storage of an X.509 certificate and private key into Cisco DNA Center. After import, the certificate and private key can be used to create a secure and trusted environment between Cisco DNA Center, northbound API applications, and network devices.
You can import a certificate and a private key using the Certificates window in the GUI.
Before you begin
You must obtain a valid X.509 certificate that is issued by your internal CA and the certificate must correspond to a private key in your possession.
Procedure
Step 1 |
Click the menu icon ( |
||||
Step 2 |
In the System tab, view the current certificate data. When you first view this window, the current certificate data that is displayed is the Cisco DNA Center self-signed certificate. The self-signed certificate's expiry is set for several years in the future.
The System tab displays the following fields:
|
||||
Step 3 |
In the System Certificates window, click Replace Certificate. In Cisco DNA Center 2.3.2 and later, you will see the Generate New CSR link if you are generating the CSR for the first time. Otherwise, you will see the Download existing CSR link. You can download the existing CSR and submit it to your provider to generate your certificate. If you don't want to use the existing CSR, click Delete existing CSR and click Accept in the subsequent Confirmation window. You can now see the Generate New CSR link. |
||||
Step 4 |
Click the Generate New CSR link. |
||||
Step 5 |
In the Certificate Signing Request Generator window, provide information in the required fields. |
||||
Step 6 |
Click Generate New CSR. The generated new CSR is downloaded automatically. The Certificate Signing window shows the CSR properties and allows you to do the following:
|
||||
Step 7 |
(Optional) Check the Use system certificate for Disaster Recovery as well check box if you want to use the same certificate for disaster recovery. |
||||
Step 8 |
Choose the file format type for the certificate that you are importing into Cisco DNA Center:
|
||||
Step 9 |
Confirm that the certificate issuer provides the certificate full chain (server and CA) in p7b. When in doubt, do the following to examine and assemble the chain: |
||||
Step 10 |
If the certificate issuer provides the certificate and its issuer CA chain in loose files, do the following: |
||||
Step 11 |
For a PEM file, perform the following tasks:
|
||||
Step 12 |
For a PKCS file, perform the following tasks:
|
||||
Step 13 |
Click Save.
|
||||
Step 14 |
Return to the Certificates window to view the updated certificate data. The information displayed in the System tab should have changed to reflect the new certificate name, issuer, and the certificate authority.
|
PKI Certificate Authority
Clients looking to establish an HTTPS connection with Cisco DNA Center use its server CA in order to confirm its identity and complete authentication. In addition to the server CA, Cisco DNA Center also makes use of a public key infrastructure (PKI) CA (configured as either a root or subordinate CA) to establish client connections. When used, the PKI CA gives you the option of using a different realm trust (signing CA) than the one associated with Cisco DNA Center’s server CA.
Change the Role of the PKI Certificate from Root to Subordinate
The device PKI CA, a private CA that is provided by Cisco DNA Center, manages the certificates and keys used to establish and secure server-client connections. To change the role of the device PKI CA from a root CA to a subordinate CA, complete the following procedure.
You can change the role of the private (internal) Cisco DNA Center CA from a root CA to a subordinate CA using the PKI Certificate Management window in the GUI. When making this change, do the following:
-
If you intend to have Cisco DNA Center act as a subordinate CA, it is assumed that you already have a root CA, for example, Microsoft CA, and you are willing to accept Cisco DNA Center as a subordinate CA.
-
As long as the subordinate CA is not fully configured, Cisco DNA Center continues to operate as an internal root CA.
-
You must generate a Certificate Signing Request file for Cisco DNA Center (as described in the following procedure) and have it manually signed by your external root CA.
Note
Cisco DNA Center continues to run as an internal root CA during this time period.
-
After the Certificate Signing Request is signed by the external root CA, this signed file must be imported back into Cisco DNA Center using the GUI (as described in the following procedure).
After the import, Cisco DNA Center initializes itself as the subordinate CA and provides all the existing functionalities of a subordinate CA.
-
If device controllability is enabled (which is the default) before the switchover from the internal root CA to the subordinate CA, the new device certificate is updated automatically.
-
The subordinate CA certificate lifetime, as displayed in the GUI, is just read from the certificate; it is not computed against the system time. Therefore, if you install a certificate with a lifespan of 1 year today and look at it in the GUI the same time next year, the GUI will still show that the certificate has a 1-year lifetime.
-
The subordinate CA certificate must be in PEM or DER format only.
-
The subordinate CA does not interact with the higher CAs; therefore, it is not aware of revocation, if any, of the certificates at a higher level. Because of this, any information about certificate revocation is also not communicated from the subordinate CA to the network devices. Because the subordinate CA does not have this information, all the network devices use only the subordinate CA as the Cisco Discovery Protocol (CDP) source.
Before you begin
You must have a copy of the root CA certificate.
Procedure
Step 1 |
Click the menu icon ( |
Step 2 |
Click the CA Management tab. |
Step 3 |
Review the existing root or subordinate CA certificate configuration information from the GUI:
|
Step 4 |
In the CA Management tab, check the Sub CA Mode check box. |
Step 5 |
Click Next. |
Step 6 |
Review the warnings that are displayed: For example,
|
Step 7 |
Click OK to proceed. The PKI Certificate Management window displays the Import External Root CA Certificate field. |
Step 8 |
Drag and drop your root CA certificate into the Import External Root CA Certificate field and click Upload. The root CA certificate is uploaded into Cisco DNA Center and used to generate a Certificate Signing Request. After the upload process finishes, a |
Step 9 |
Click Next. Cisco DNA Center generates and displays the Certificate Signing Request. |
Step 10 |
View the Cisco DNA Center-generated Certificate Signing Request in the GUI and perform one of the following actions:
|
Step 11 |
Send the Certificate Signing Request file to your root CA. Your root CA will then return a subordinate CA file, which you must import back into Cisco DNA Center. |
Step 12 |
After receiving the subordinate CA file from your root CA, access the Cisco DNA Center GUI again and return to the PKI Certificate Management window. |
Step 13 |
Click the CA Management tab. |
Step 14 |
Click Yes for the Change CA mode button. After clicking Yes, the GUI view with the Certificate Signing Request is displayed. |
Step 15 |
Click Next. The PKI Certificate Management window displays the Import Sub CA Certificate field. |
Step 16 |
Drag and drop your subordinate CA certificate into the Import Sub CA Certificate field and click Apply. The subordinate CA certificate is uploaded into Cisco DNA Center. After the upload finishes, the GUI displays the subordinate CA mode under the CA Management tab. |
Step 17 |
Review the fields under the CA Management tab:
|
Provision a Rollover Subordinate CA Certificate
Cisco DNA Center lets you apply a subordinate certificate as a rollover subordinate CA when 70 percent of the existing subordinate CA lifetime has elapsed.
Before you begin
-
To initiate subordinate CA rollover provisioning, you must have changed the PKI certificate role to subordinate CA mode. See Change the Role of the PKI Certificate from Root to Subordinate.
-
70 percent or more of the lifetime of the current subordinate CA certificate must have expired. When this occurs, Cisco DNA Center displays a Renew button under the CA Management tab.
-
You must have a signed copy of the rollover subordinate CA PKI certificate.
Procedure
Step 1 |
Click the menu icon ( |
Step 2 |
Click the CA Management tab. |
Step 3 |
Review the CA certificate configuration information:
|
Step 4 |
Click Renew. Cisco DNA Center uses the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request. |
Step 5 |
View the generated Certificate Signing Request in the GUI and perform one of the following actions:
|
Step 6 |
Send the Certificate Signing Request file to your root CA. Your root CA will then return a rollover subordinate CA file that you must import back into Cisco DNA Center. The Certificate Signing Request for the subordinate CA rollover must be signed by the same root CA who signed the subordinate CA you imported when you switched from RootCA mode to SubCA mode. |
Step 7 |
After receiving the rollover subordinate CA file from your root CA, return to the PKI Certificate Management window. |
Step 8 |
Click the CA Management tab. |
Step 9 |
Click Next in the GUI in which the Certificate Signing Request is displayed. The PKI Certificate Management window displays the Import Sub CA Certificate field. |
Step 10 |
Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Apply. The rollover subordinate CA certificate is uploaded into Cisco DNA Center. After the upload finishes, the GUI changes to disable the Renew button under the CA Management tab. |
Configure the Device Certificate Lifetime
Cisco DNA Center lets you change the certificate lifetime of network devices that are managed and monitored by the private (internal) Cisco DNA Center CA. The Cisco DNA Center default value for the certificate lifetime is 365 days. After the certificate lifetime value is changed using the Cisco DNA Center GUI, network devices that subsequently request a certificate from Cisco DNA Center are assigned this lifetime value.
![]() Note |
The device certificate lifetime value cannot exceed the CA certificate lifetime value. Additionally, if the remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device gets a certificate lifetime value that is equal to the remaining CA certificate lifetime. |
Procedure
Step 1 |
Click the menu icon ( |
Step 2 |
Review the device certificate and the current device certificate lifetime. |
Step 3 |
In the Device Certificate window, click Modify. |
Step 4 |
In the Device Certificate Lifetime dialog box, enter a new value, in days. |
Step 5 |
Click Save. |
Cisco DNA Center Trustpool Support
Cisco DNA Center and Cisco IOS devices support a special PKI certificate store known as trustpool. The trustpool holds X.509 certificates that identify trusted CAs. Cisco DNA Center and the devices in the network use the trustpool bundle to manage trust relationships with each other and with these CAs. Cisco DNA Center manages this PKI certificate store, and an administrator (ROLE_ADMIN) has the ability to update it through the Cisco DNA Center GUI when the certificates in the pool are due to expire, are reissued, or must be changed for other reasons.
![]() Note |
Cisco DNA Center also uses the trustpool functionality to determine whether any certificate file that is uploaded through its GUI is a valid trustpool CA-signed certificate. |
Cisco DNA Center contains a preinstalled, default Cisco-signed trustpool bundle named ios.p7b. This trustpool bundle is trusted by supported Cisco network devices natively, because it is signed with a Cisco digital signing certificate. This trustpool bundle is critical for the Cisco network devices to establish trust with services and applications that are genuine. This Cisco PKI trustpool bundle file is available at https://www.cisco.com/security/pki/.
To access the Cisco DNA Center PnP functionality, the supported Cisco devices that are being managed and monitored by Cisco DNA Center should import the Cisco PKI trustpool bundle file. When the supported Cisco devices boot for the first time, they contact Cisco DNA Center to import this file.
The Cisco DNA Center trustpool management feature operates in the following manner:
-
You boot the Cisco devices that support the PnP functionality within your network.
Note that not all Cisco devices support PnP. See the Cisco DNA Center Compatibility Matrix for a list of supported Cisco devices.
-
As part of the initial PnP flow, the supported Cisco devices download a trustpool bundle directly from Cisco DNA Center using HTTP.
-
The Cisco devices are now ready to interact with Cisco DNA Center to obtain further device configuration and provisioning according to the PnP traffic flows.
Note that if an HTTP proxy gateway exists between Cisco DNA Center and these Cisco devices, you must import the proxy gateway certificate into Cisco DNA Center.
Note
At times, you might need to update the trustpool bundle to a newer version due to some certificates in the trustpool expiring, being reissued, or for other reasons. Whenever the trustpool bundle needs to be updated, update it by using the Cisco DNA Center GUI. Cisco DNA Center can access the Cisco cloud (where the Cisco-approved trustpool bundles are located) and download the latest trustpool bundle. After download, Cisco DNA Center then overwrites the current or older trustpool bundle file. As a best practice, update the trustpool bundle before importing a new certificate from a CA.
Check the Certificate on the PnP Server
This section explains how to check the certificate on the PnP agent of Cisco IOS and Cisco IOS XE devices during a zero-touch deployment.
The certificate provided by the PnP server must contain a valid Subject Alternative Name (SAN) field to verify the server identity.
The check is applied to the server's DNS name or the IP address that is used in the PnP profile settings:
pnp profile SOME_NAME
transport https ipv4 IP_ADDRESS port 443
pnp profile SOME_NAME
transport https host DNS_NAME port 443
The enforcement is applied by comparing the SAN field of the certificate to the value used in the PnP profile that is configured on the device.
The following table summarizes the enforcement applied:
PnP Profile Configuration | Certificate Enforcement |
---|---|
DHCP Option-43 or Option-17 discovery of the PnP server using an explicit IPv4 or IPv6 address |
The SAN field of the server certificate must contain the explicit IPv4 or IPv6 address used in Option-43 or Option-17. |
DHCP Option-43 or Option-17 discovery of the PnP server using a DNS name |
The SAN field of the server certificate must contain the specific DNS name. |
DNS discovery of the PnP server |
The SAN field of the server certificate must contain pnpserver.<local-domain>. |
Cisco.com discovery of the PnP Server |
One of the following conditions is applicable:
|
Day-2 (manual configuration) PnP profile creation |
The SAN field of the server certificate must contain either the IP address or the DNS name that is used in the PnP profile configuration. |
We recommend that you use a discovery method based on the DNS name because the functionality is not affected by changes to the IP address.
Procedure
Step 1 |
Use the PnP server logs to diagnose the problem. Check whether the HTTPS connection is established with the device after the trustpoint is installed on the device. The PnP server logs show that the device moves from the CERTIFICATE_INSTALL_REQUESTED stage to the FILESYSTEM_INFO_REQUESTED stage, but no further progress is made. For example:
Thereafter, PnP provisioning fails with an error that is similar to the following:
|
Step 2 |
For device-side debugging, use the following recommended outputs to determine whether the issue is related to the server ID check:
|
Step 3 |
Enable debugging before you initiate a PnP discovery. |
Step 4 |
Check the server certificate's SAN field by entering the following command from the CLI of a Linux workstation or a Mac terminal. Be sure to replace SERVER_IP with your Cisco DNA Center cluster address.
|
Step 5 |
In the output, pay close attention to the X509v3 extensions, especially the X509v3 Subject Alternative Name, which is the field that must be matched against the PnP server details. The output is similar to the following:
|
Step 6 |
Depending on the type of certificate you are using, do one of the following:
|
Certificates for Systems that Peer with Cisco DNA Center
When setting up a certificate for an external system that Cisco DNA Center communicates with (such as Cisco ISE, IPAM, vManage, or Stealthwatch Security Analytics), ensure that the HTTP-type CRL distribution point is supported and is placed before LDAP (if multiple distribution points with LDAP are present) for the system's certificates.
If you don't place the CRL distribution point before LDAP, authentication with the external system might fail for LDAP-type CRL entries.
Disable SFTP Compatibility Mode
SSH File Transfer Protocol (SFTP) Compatibility mode allows legacy network devices to connect to Cisco DNA Center using older cipher suites that are not secure. By default, SFTP Compatibility mode is enabled for new Cisco DNA Center deployments.
-
If your network does not have legacy devices, we recommend that you disable SFTP Compatibility mode during initial cluster configuration.
-
If your network does have legacy devices, we recommend that you enable SFTP Compatibility mode for a maximum of three days, which should be enough time to complete provisioning tasks.
Complete the procedure that's specific to your Cisco DNA Center version.
Newer Cisco DNA Center Versions
If you are running Cisco DNA Center 2.1.2.0 or later, complete the following procedure to enable or disable SFTP Compatibility mode:
Procedure
Step 1 |
Click the menu icon ( |
Step 2 |
In the Host column, locate the relevant server and click the corresponding i icon. A message appears, indicating whether SFTP Compatibility mode is currently enabled or disabled on that server. |
Step 3 |
If necessary, click the link provided in the message to enable or disable this mode. |
Older Cisco DNA Center Versions
If you are running Cisco DNA Center 1.3.3.0 or earlier, complete the following procedure to enable or disable SFTP Compatibility mode:
Procedure
Step 1 |
Log in to Cisco DNA Center. |
Step 2 |
From the home page, choose . |
Step 3 |
Check the Compatibility mode check box to enable this mode. (Uncheck the check box to disable it.) |
Step 4 |
Click Apply. |
Browser-Based Appliance Configuration Wizard
In addition to the appliance configuration wizard that has been available since its first release, Cisco DNA Center also provides a browser-based appliance configuration wizard. See the following topics for a description of how to disable or re-enable this wizard.
Disable the Wizard
A self-signed certificate is provided with your Cisco DNA Center appliance. If your production environment doesn't allow the use of self-signed certificates, we recommend that you shut down the service associated with the browser-based appliance configuration wizard. Complete the following procedure right after using the wizard to configure your appliance.
![]() Note |
Only users with root privileges can complete this procedure. |
Procedure
Step 1 |
In an SSH client, log in to your Cisco DNA Center appliance using the IP address that you entered during configuration. When prompted, enter your username and password. |
Step 2 |
(Optional) To view usage information for the commands that you should run in order to disable or re-enable the browser-based appliance configuration wizard, run the maglev-config webinstall command. The following output is displayed:
|
Step 3 |
Disable the browser-based configuration wizard by running the maglev-config webinstall disable command. After the operation is completed, you will see the following message:
|
Re-enable the Wizard
If the browser-based configuration wizard is currently disabled on an appliance, re-enable it before you complete the following tasks:
-
Add nodes to a three-node Cisco DNA Center cluster on which you plan to enable high availability (HA).
-
Remove a node from a three-node cluster that has HA enabled, and replace it with a new node. In this case, ensure that the browser-based configuration wizard is enabled on at least one of the other two cluster nodes.
![]() Note |
Only users with root privileges can complete this procedure. |
Procedure
Step 1 |
In an SSH client, log in to your Cisco DNA Center appliance using the IP address that you entered during configuration. When prompted, enter your username and password. |
Step 2 |
Re-enable the wizard by running the maglev-config webinstall enable command. After the operation is completed, you will see the following message:
|
Upgrade Legacy Devices
If you have legacy network devices, you must upgrade them to the latest device software:
-
To view the software versions that Cisco SD-Access supports, see the Cisco SD-Access Compatibility Matrix.
-
To view general device support information for Cisco DNA Center, see the Cisco DNA Center Compatibility Matrix.
Some devices, such as Cisco Aironet 1800 Series Access Points Version 8.5, use TLSV1, which is not secure. You must upgrade the device software version to 8.8 to upgrade the TLS version.
Secure Network Data
Cisco DNA Center lets you use the Data Anonymization feature to hide the identity of wired and wireless end clients in the Cisco DNA Assurance dashboard. For details, see "View or Update Collector Configuration Information" in the Cisco DNA Assurance User Guide.
Syslog Management
Cisco DNA Center protects syslogs for user-sensitive data such as username, password, IP address, and so on.
View Audit Logs
Audit logs capture information about the various applications running on Cisco DNA Center. Audit logs also capture information about device public key infrastructure (PKI) notifications. The information in these audit logs can be used to help in troubleshooting issues, if any, involving the applications or the device PKI certificates.
Audit logs also record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system get logged in separate log files for auditing.
Procedure
Step 1 |
Click the menu icon ( The Audit Logs window opens, where you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on Cisco DNA Center. |
||
Step 2 |
Click the timeline slider to specify the time range of data you want displayed on the window:
|
||
Step 3 |
Click the arrow next to an audit log to view the corresponding child audit logs. Each audit log can be a parent to several child audit logs. By clicking the arrow, you can view a series of additional child audit logs.
|
||
Step 4 |
(Optional) From the list of audit logs in the left pane, click a specific audit log message. In the right pane, click Event ID > Copy Event ID to Clipboard. With the copied ID, you can use the API to retrieve the audit log message based on the event ID. The audit log displays the Description, User, Interface, and Destination of each policy in the right pane.
|
||
Step 5 |
(Optional) Click Filter to filter the log by User ID, Log ID, or Description. |
||
Step 6 |
Click Subscribe to subscribe to the audit log events. A list of syslog servers is displayed. |
||
Step 7 |
Check the syslog server check box that you want to subscribe to and click Save.
|
||
Step 8 |
In the right pane, use the Search field to search for specific text in the log message. |
||
Step 9 |
Click the menu icon ( |
||
Step 10 |
Click the menu icon ( |
Export Audit Logs to Syslog Servers
Security Recommendation: We strongly encourage you to export audit logs from Cisco DNA Center to a remote syslog server in your network, for more secure and easier log monitoring.
You can export the audit logs from Cisco DNA Center to multiple syslog servers by subscribing to them.
Before you begin
You must configure the syslog servers in the
area.Procedure
Step 1 |
Click the menu icon ( |
Step 2 |
Click Subscribe. |
Step 3 |
Select the syslog servers that you want to subscribe to and click Save. |
Step 4 |
(Optional) To unsubscribe, deselect the syslog servers and click Save. |
View Audit Logs in Syslog Server Using APIs
With the Cisco DNA Center platform, you can use APIs to view audit logs in syslog servers. Using the Create Syslog Event Subscription API from the Developer Toolkit, you must create a syslog subscription for audit log events.
Whenever an audit log event occurs, the syslog server lists the audit log events.
View Security Advisories Report
Cisco DNA Center provides the functionality to create a Security Advisory report that scans your Cisco network devices for relevant security advisories, and contains information about publicly reported vulnerabilities.
Security Recommendation: We strongly encourage you to periodically review and run this report to understand the impact of published Cisco security advisories that may affect your network, and take appropriate actions, if necessary.
The Security Advisories report displays device data and related advisory data such as—Device Name, IP Address, Device Type, Serial Number, Image Version, Site, Advisory ID, CVSS Score, and Impact.
![]() Note |
For detailed information and instructions on how to run the security advisories report, see the section "Run a Security Advisories Report" in the Cisco DNA Center Platform User Guide. |