Cisco DNA Center Security Best Practices Guide

Cisco DNA Center Hardening Steps

Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices that it monitors and manages. You must clearly understand and configure the security features correctly. We strongly recommend that you follow these security recommendations:

Deploy Cisco DNA Center in a private internal network and behind a firewall that does not expose Cisco DNA Center to an untrusted network, such as the internet.
If you have separate management and enterprise networks, connect Cisco DNA Center's management and enterprise interfaces to your management and enterprise networks, respectively. Doing so ensures network isolation between the services used to administer and manage Cisco DNA Center and the services used to communicate with and manage your network devices.
If deploying Cisco DNA Center in a three-node cluster setup, verify that the cluster interfaces are connected in an isolated network.
Upgrade Cisco DNA Center with critical upgrades, including security patches, as soon as possible after a patch announcement. For more information, see the Cisco DNA Center Upgrade Guide.
Restrict the remote URLs accessed by Cisco DNA Center using an HTTPS proxy server. Cisco DNA Center is configured to access the internet to download software updates, licenses, and device software, as well as provide up-to-date map information, user feedback, and so on. Providing internet connections for these purposes is a mandatory requirement. However, provide connections securely through an HTTPS proxy server. For more information, see Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names.
Restrict the ingress and egress management and enterprise network connections to and from Cisco DNA Center using a firewall, by only allowing known IP addresses and ranges and blocking network connections to unused ports. For more information, see Communication Ports.
Replace the self-signed server certificate from Cisco DNA Center with the certificate signed by your internal certificate authority (CA).
If possible, disable SFTP Compatibility Mode in your network environment. This mode allows legacy network devices to connect to Cisco DNA Center using older cipher suites. For more information, see Disable SFTP Compatibility Mode.
Disable the browser-based appliance configuration wizard, which comes with a self-signed certificate. For more information, see Browser-Based Appliance Configuration Wizard.
Upgrade the minimum TLS version. Cisco DNA Center comes with TLSv1.1 and TLSv1.2 enabled by default, and we recommend that you set the minimum TLS version to 1.2 if possible, in your network environment. For more information, see Change the Minimum TLS Version and Enable RC4-SHA (Not Secure).

User Role Considerations

Users are assigned roles that control access to the functions that they are permitted to perform.

Cisco DNA Center supports the following user roles. For more information, see "About User Roles" and "Create Local Users" in the Cisco DNA Center Administrator Guide.

Administrator (SUPER-ADMIN-ROLE): Users with this role have full access to all Cisco DNA Center functions. They can create other user profiles with various roles, including those with the SUPER-ADMIN-ROLE. Restrict the number of users with this role.
Network Administrator (NETWORK-ADMIN-ROLE): Users with this role have full access to all of the network-related Cisco DNA Center functions. However, they do not have access to system-related functions, such as backup and restore.
Observer (OBSERVER-ROLE): Users with this role have view-only access to Cisco DNA Center functions. Users with an observer role cannot access any functions that configure or control Cisco DNA Center or the devices it manages.

In addition to the above preconfigured user roles, Cisco DNA Center also supports the creation of user roles with a custom fine-grained access policy, which allows the creation of custom roles to permit or restrict user access to certain Cisco DNA Center functions. For more information, see "Configure Role Based Access Control' in the Cisco DNA Center Administrator Guide.

Note

We strongly recommend that you restrict the number of users with the Administrator role because administrators have control over the configuration of critical functions.

Cisco DNA Center can use Cisco Identity Services Engine (ISE) or other authentication, authorization, and accounting (AAA) servers for user authentication. For more information, see "Configure Authentication and Policy Servers" in the Cisco DNA Center Administrator Guide.

Secure Your Cisco DNA Center Deployment

Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices that it monitors and manages. We strongly recommend that you place Cisco DNA Center and Cisco ISE behind a firewall in either a local data center (head of campus) or remote data center as shown here.

To access Cisco DNA Center through the GUI and to enable Cisco DNA Center to interact with network devices, specific ports must be configured on the firewall. Cisco DNA Center integrates with the cloud and is distributed across the globe for practical latency requirements.

Communication Ports

Security Recommendations:

Deploy a firewall between Cisco DNA Center and the management or enterprise network for a defensive, in-depth approach to secure the Cisco DNA Center deployment.
Open the ports with specific IP addresses or ranges.

The following table lists the ports that Cisco DNA Center uses, the names of the services communicating over these ports, and the product’s purpose in using them. The Recommended Action column indicates whether you can restrict network traffic to known IP addresses or ranges, or block network connections to or from a Cisco DNA Center port or service without affecting the functionality of Cisco DNA Center, or whether you must leave the port open.

Some destination ports in Cisco DNA Center are duplicated. The subsections call out the usage and related network service. You can limit the source or destination IP addresses or ranges in the firewall rules or choose not to open the port if the service is not used in your Cisco DNA Center deployment.

Port

Service Name

Purpose

Recommended Action

Administering or Configuring Cisco DNA Center

TCP 443

UI, REST, HTTPS

GUI, REST, HTTPS management port.

Port must be open.

TCP 2222

Cisco DNA Center shell

Connect to the Cisco DNA Center shell.

Port must be open. Restrict the known IP address to be the source.

TCP 9004

Web UI installation

Serves the GUI based installation page (required only if you choose to install Cisco DNA Center using the web-based option).

Port must be open until the installation of the node is complete.

TCP 9005

Web UI installation API service

Serves the API for the web-based installation (connected by the browser client from port 9004; no external agent requires access).

Port must be open until the cluster formation is complete.

Administering or Configuring Cisco IMC

TCP 22

Cisco DNA Center shell

Connects to the Cisco DNA Center shell.

Port must be open. Configure the known IP address as the source.

UDP and TCP 53

DNS

Used to resolve a DNS name to an IP address.

Port must be open if DNS names are used instead of IP addresses for other services (such as an NTP DNS name).

UDP and TCP 389

LDAP

Cisco IMC user management LDAP.

Optional if external user authentication via LDAP is needed.

TCP 443

UI, REST, HTTPS

Web UI, REST, HTTPS management port.

Port must be open.

UDP and TCP 636

LDAPS

Cisco IMC user management via LDAP over SSL.

Optional if external user authentication via LDAPS is needed.

TCP 2068

HTTPS

Remote KVM console redirect port.

Port must be open until installation of the node is complete.

UDP 123

NTP

Synchronize the time with an NTP server.

Port must be open.

UDP 161

SNMP Polling/Config

SNMP server polling and configurations.

Optional for SNMP server polling and configurations.

UDP 162

SNMP Traps

Send SNMP traps to an external SNMP server.

Optional for a SNMP server collector.

UDP 514

Syslog

View faults and logs on an external server.

Optional for sending message logs to an external server.

Cisco DNA Center Outbound to Device and Other Systems

—

ICMP

Cisco DNA Center uses ICMP messages to discover network devices and troubleshoot network connectivity issues.

Enable ICMP.

TCP 22

SSH

Cisco DNA Center uses SSH to connect to network devices so that it can:

Read the device configuration for discovery.
Make configuration changes.

Cisco DNA Center also uses SSH to connect to and complete initial integration with Cisco ISE.

SSH must be open between Cisco DNA Center and the following:

The managed network
Cisco ISE

TCP 23

Telnet

We strongly discourage the use of Telnet.

Note that although Telnet is discouraged, Cisco DNA Center can use Telnet to connect to devices in order to read the device configuration for discovery, and make configuration changes.

Telnet can be used for device management, but we do not recommend it because Telnet does not offer security mechanisms such as SSH.

TCP 49

TACACS+

Needed only if you are using external authentication such as Cisco ISE with a TACACS+ server.

Port must be open only if you are using external authentication with a TACACS+ server.

TCP 80

HTTP

Cisco DNA Center uses HTTP for trust pool updates.

To access Cisco-supported trust pools, configure your network to allow outgoing traffic from the appliance to the following URL:

http://www.cisco.com/security/pki/

UDP 53

DNS

Cisco DNA Center uses DNS to resolve hostnames.

Port must be open for DNS hostname resolution.

UDP 123

NTP

Cisco DNA Center uses NTP to synchronize the time from the source that you specify.

Port must be open for time synchronization.

UDP 161

SNMP

Cisco DNA Center uses SNMP to discover network devices; to read device inventory details, including device type; and for telemetry data purposes, including CPU and RAM.

Port must be open for network device management and discovery.

TCP 443

HTTPS

Cisco DNA Center uses HTTPS for cloud-tethered upgrades.

Port must be open for cloud tethering, telemetry, and software upgrades.

TCP 830

NETCONF

Cisco DNA Center uses NETCONF for device inventory, discovery, and configuration.

Port must be open for network device management and discovery of devices that support NETCONF.

UDP 1645 or 1812

RADIUS

Needed only if you are using external authentication with a RADIUS server.

Port must be open only if an external RADIUS server is used to authenticate user login to Cisco DNA Center.

TCP 5222, 8910

Cisco ISE

Cisco DNA Center uses Cisco ISE XMP for PxGrid.

Port must be open for Cisco ISE.

TCP 9060

Cisco ISE

Cisco DNA Center uses Cisco ISE ERS API traffic.

Port must be open for Cisco ISE.

Device to Cisco DNA Center

—

ICMP

Devices use ICMP messages to communicate network connectivity issues.

Enable ICMP.

TCP 22, 80, 443

HTTPS, SFTP, HTTP

Software image download from Cisco DNA Center through HTTPS:443, SFTP:22, HTTP:80.

Certificate download from Cisco DNA Center through HTTPS:443, HTTP:80 (Cisco 9800 Wireless Controller, PnP), Sensor/Telemetry.

Note

Block port 80 if you don't use Plug and Play (PnP), Software Image Management (SWIM), Embedded Event Management (EEM), device enrollment, or Cisco 9800 Wireless Controller.

Ensure that firewall rules limit the source IP of the hosts or network devices allowed to access Cisco DNA Center on these ports.

Note

We do not recommend the use of HTTP 80. Use HTTPS 443 wherever possible.

UDP 123

NTP

Devices use NTP for time synchronization.

Port must be open to allow devices to synchronize the time.

UDP 162

SNMP

Cisco DNA Center receives SNMP network telemetry from devices.

Port must be open for data analytics based on SNMP.

UDP 514

Syslog

Cisco DNA Center receives syslog messages from devices.

Port must be open for data analytics based on syslog.

UDP 6007

NetFlow

Cisco DNA Center receives NetFlow network telemetry from devices.

Port must be open for data analytics based on NetFlow.

TCP 9991

Wide Area Bonjour Service

Cisco DNA Center receives multicast Domain Name System (mDNS) traffic from the Service Discovery Gateway (SDG) agents using the Bonjour Control Protocol.

Port must be open on Cisco DNA Center if the Bonjour application is installed.

UDP 21730

Application Visibility Service

Application Visibility Service CBAR device communication.

Port must be open when CBAR is enabled on a network device.

TCP 25103

Cisco 9800 Wireless Controller and Cisco Catalyst 9000 switches with streaming telemetry enabled

Used for telemetry.

Port must be open for telemetry connections between Cisco DNA Center and Catalyst 9000 devices.

TCP 32626

Intelligent Capture (gRPC) collector

Used for receiving traffic statistics and packet - capture data used by the Cisco DNA Assurance Intelligent Capture (gRPC) feature.

Port must be open if you are using the Cisco DNA Assurance Intelligent Capture (gRPC) feature.

Enable Cisco DNA Center Disaster Recovery

Cisco DNA Center provides a mechanism to recover from a Cisco DNA Center cluster loss (or a data center loss) and maintain operational continuity. This is achieved through the Disaster Recovery application of Cisco DNA Center, which replicates all the essential data from the main Cisco DNA Center cluster to a second standby (recovery) Cisco DNA Center cluster.

Security Recommendation: We recommend that you enable Cisco DNA Center's Disaster Recovery Service, to recover from a Cisco DNA Center cluster loss (or a data center loss) and maintain operational continuity.

The Cisco DNA Center recovery cluster contains all the essential data (Mongodb, Postgresql, credentials and certificates, file service) replicated from the main Cisco DNA Center cluster, and takes over control in case the main Cisco DNA Center cluster is lost. For more information, see "Configure Disaster Recovery" in the Cisco DNA Center Administrator Guide.

Note

Disaster recovery uses IPsec tunneling to secure network traffic between disaster recovery systems (main, recovery, and witness). Authentication to set up the IPsec tunneling between disaster recovery systems is done through certificate-based authentication (OpenSSL certificates).

For the key-exchange phase of the IPsec protocol, IPsec tunneling uses the secure and robust IKE2 protocol.

Use a separate certificate (as from Cisco DNA Center system certificate for HTTPS connections) for Disaster Recovery. For more information, see "Add Disaster Recovery Certificate" in the Cisco DNA Center Administrator Guide.

Disaster Recovery Ports

If you are using disaster recovery in your production environment, see the following table to plan the firewall and security policies you'll use to secure your disaster recovery setup. Ensure that the ports listed here are open so that Cisco DNA Center has the access it requires to set up disaster recovery across your network's data centers.

Source Port

Source

Destination Port

Destination

Description

Any

Cisco DNA Center Enterprise IP/VIP

TCP 443

Cisco DNA Center Enterprise VIP

REST API Access

Any

Cisco DNA Center Enterprise IP/VIP

UDP 500

Cisco DNA Center Enterprise VIP

IPSec tunnel

Any

Cisco DNA Center Enterprise IP/VIP

TCP 873

Cisco DNA Center Enterprise VIP

Replication of GlusterFS data through rsync

Any

Cisco DNA Center Enterprise IP/VIP

UDP 4500

Cisco DNA Center Enterprise VIP

IPSec tunnel

Any

Cisco DNA Center Enterprise IP/VIP

TCP 8300

Cisco DNA Center Enterprise VIP

Consul RPC communication

Any

Cisco DNA Center Enterprise IP/VIP

TCP 8301

Cisco DNA Center Enterprise VIP

Consul SERF LAN port

Any

Cisco DNA Center Enterprise IP/VIP

UDP 8301

Cisco DNA Center Enterprise VIP

Consul SERF LAN port

Any

Cisco DNA Center Enterprise IP/VIP

TCP 8302

Cisco DNA Center Enterprise VIP

Consul SERF WAN port¹

Any

Cisco DNA Center Enterprise IP/VIP

UDP 8302

Cisco DNA Center Enterprise VIP

Consul SERF WAN port¹

Any

Cisco DNA Center Enterprise IP/VIP

TCP 8443

Cisco DNA Center Enterprise VIP

HA proxy API access ²

Any

Cisco DNA Center Enterprise IP/VIP

TCP 31000

Cisco DNA Center Enterprise VIP

Postgres replication

Any

Cisco DNA Center Enterprise IP/VIP

TCP 31001

Cisco DNA Center Enterprise VIP

Postgres replication

Any

Cisco DNA Center Enterprise IP/VIP

TCP 31002

Cisco DNA Center Enterprise VIP

Credential Manager replication

Any

Cisco DNA Center Enterprise IP/VIP

TCP 31003

Cisco DNA Center Enterprise VIP

MongoDB replication

Any

Cisco DNA Center Enterprise IP/VIP

TCP 31004

Cisco DNA Center Enterprise VIP

MongoDB replication

Any

Cisco DNA Center Enterprise IP/VIP

UDP 500

Witness IP

IPSec tunnel

Any

Cisco DNA Center Enterprise IP/VIP

TCP 2222

Witness IP

TCP ping for witness reachability

Any

Cisco DNA Center Enterprise IP/VIP

UDP 4500

Witness IP

IPSec tunnel

Any

Cisco DNA Center Enterprise IP/VIP

TCP 8300

Witness IP

Consul RPC communication

Any

Cisco DNA Center Enterprise IP/VIP

TCP 8301

Witness IP

Consul SERF LAN port

Any

Cisco DNA Center Enterprise IP/VIP

UDP 8301

Witness IP

Consul SERF LAN port

Any

Cisco DNA Center Enterprise IP/VIP

TCP 8302

Witness IP

Consul SERF WAN port¹

Any

Cisco DNA Center Enterprise IP/VIP

UDP 8302

Witness IP

Consul SERF WAN port¹

Any

Cisco DNA Center Enterprise IP/VIP

TCP 8443

Witness IP

HA proxy API access ²

Any

Cisco DNA Center Enterprise/ Management VIP

TCP 179

Neighbor router

BGP session with neighbor router

Note

Open this port if BGP is configured to advertise the disaster recovery VIP.

Any

Witness IP

UDP 53

DNS Server

From witness to DNS server

Any

Witness IP

UDP 123

NTP Server

From witness to NTP server

Any

Witness IP

TCP 443

Cisco DNA Center Enterprise VIP

Access APIs during disaster recovery registration

Any

Witness IP

UDP 500

Cisco DNA Center Enterprise VIP

IPSec tunnel

Any

Witness IP

UDP 4500

Cisco DNA Center Enterprise VIP

IPSec tunnel

Any

Witness IP

TCP 8300

Cisco DNA Center Enterprise VIP

Consul RPC communication

Any

Witness IP

TCP 8301

Cisco DNA Center Enterprise VIP

Consul SERF LAN port

Any

Witness IP

UDP 8301

Cisco DNA Center Enterprise VIP

Consul SERF LAN port

Any

Witness IP

TCP 8302

Cisco DNA Center Enterprise VIP

Consul SERF WAN port¹

Any

Witness IP

UDP 8302

Cisco DNA Center Enterprise VIP

Consul SERF WAN port¹

Any

Witness IP

TCP 8443

Cisco DNA Center Enterprise VIP

HA proxy API access ²

¹ This requirement will be removed in a future Cisco DNA Center release.

² This requirement will be added in a future Cisco DNA Center release.

Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names

Security Recommendation: We recommend that you allow secure access only to URLs and Fully Qualified Domain Names required by Cisco DNA Center, through an HTTP(s) proxy.

For more information, see "Required Internet URLs and Fully Qualified Domain Names" and "Provide Secure Access to the Internet" sections in the latest Cisco DNA Center Second-Generation Appliance Installation Guide.

Secure the Management Interface

If you are using Cisco Integrated Management Controller (IMC), the first security action to perform on the Cisco DNA Center appliance is to secure the out-of-band management interface (Cisco IMC) account. Change the default password of the admin account to a stronger value as per the password policy. See "Enable Browser Access to Cisco IMC" in the Cisco DNA Center Appliance Installation Guide and "Configure External Authentication" in the Cisco DNA Center Administrator Guide.

Note

You must secure the password of Maglev CLI users with super admin access. For details, see "Configure the Primary Node" in the Cisco DNA Center Appliance Installation Guide.

Rate Limit IP Traffic to an Interface

Security Recommendation: We recommend that you rate limit the incoming IP traffic to Cisco DNA Center from your network devices.

By default, Cisco DNA Center does not rate limit IP traffic to its interfaces. However, we recommend that you rate limit the incoming IP traffic from a specific source IP or all the traffic to a Cisco DNA Center interface (from a specific source IP or all the traffic) for protecting against DoS/DDoS attacks from internal network threats.

Before you begin

You must have maglev SSH access privileges to perform this procedure.

Procedure

Step 1

Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard.

The IP address that you must enter for the SSH client is the one you configured for the network adapter. This IP address connects the appliance to the external network.

Step 2

When prompted, enter your username and password for SSH access.

Step 3

Enter the following command to restrict the incoming traffic from a specific source:

/opt/maglev/bin/throttle_ip [options]
Options
-h show this help text
-i IP to rate limit (default: 0.0.0.0 i.e. ALL traffic)
-c Committed Information Rate in KBps (default: 100 K Bps)
-n Interface number (Mandatory parameter)
-d delete the last config and move the NIC to default configuration
-a Insert the new IP (to be throttled) in the already build filter list
-s show the current filter

Note

If you don’t enter a specific IP address, the full interface is throttled. The mandatory interface name limits the input transmission rate for all classes of traffic based on user-defined criteria.

Examples

#To create a new filter list
./throttle_ip -i 192.0.2.105 -n enp0s8 -c 256

#To add a new IP with different bandwidth
./throttle_ip -a 192.0.2.106 -n enp0s8 -c 512

#To delete all the IP from the List
./throttle_ip -d -n enp0s8

#To show the filters
./throttle_ip -s -n enp0s8

Step 4

Log out of the Cisco DNA Center appliance.

Change the Minimum TLS Version and Enable RC4-SHA (Not Secure)

Security Recommendation: We recommend that you upgrade the minimum TLS version to TLSv1.2 for incoming TLS connections to Cisco DNA Center.

Northbound REST API requests from an external network, such as northbound REST API-based apps, browsers, and network devices connecting to Cisco DNA Center using HTTPS are made secure using the Transport Layer Security (TLS) protocol.

By default, Cisco DNA Center supports TLSv1.1 and TLSv1.2, and does not support RC4 ciphers for SSL/TLS connections. Since RC4 ciphers have well known weaknesses, we recommend that you upgrade the minimum TLS version to TLSv1.2 if your network devices support it.

Cisco DNA Center provides a configuration option to downgrade the minimum TLS version and enable RC4-SHA if your network devices under Cisco DNA Center control cannot support the existing minimum TLS version (TLSv1.1) or ciphers. For security reasons, however, we recommend that you do not downgrade Cisco DNA Center TLS version or enable RC4-SHA ciphers.

To change the TLS version or enable RC4-SHA for Cisco DNA Center, log in to the corresponding appliance and use the CLI.

Note

CLI commands can change from one release to the next. The following CLI example uses command syntax that might not apply to all Cisco DNA Center releases.

Before you begin

You must have maglev SSH access privileges to perform this procedure.

Note

This security feature applies to port 443 on Cisco DNA Center. Performing this procedure may disable traffic on the port to the Cisco DNA Center infrastructure for a few seconds. For this reason, you should configure TLS infrequently and only during off-peak hours or during a maintenance period.

Procedure

Step 1

Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard.

The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This IP address connects the appliance to the external network.

Step 2

When prompted, enter your username and password for SSH access.

Step 3

Enter the following command to check the TLS version currently enabled on the cluster.

The following is an example:

Input
$ magctl service tls_version --tls-min-version show
Output
TLS minimum version is 1.1

Step 4

If you want to change the TLS version on the cluster, enter the following commands. For example, you might want to change the current TLS version to an earlier version if your network devices under Cisco DNA Center control cannot support the existing TLS version.

The following example shows how to change from TLS Version 1.1 to 1.0:

Input
$ magctl service tls_version --tls-min-version 1.0
Output
Enabling TLSv1.0 is recommended only for legacy devices
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.0 for api-gateway
deployment.extensions/kong patched

The following example shows how to change from TLS Version 1.1 to 1.2 (only allowed if you haven't enabled RC4-SHA):

Input
$ magctl service tls_version --tls-min-version 1.2
Output
Enabling TLSv1.2 will disable TLSv1.1 and below
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.2 for api-gateway
deployment.extensions/kong patched

Note

Setting TLS Version 1.2 as the minimum version is not supported when RC4-SHA ciphers are enabled.

Step 5

If you want to change the TLS version for streaming telemetry connections between Cisco DNA Center and Catalyst 9000 devices (via the TCP 25103 port), enter the following command. For example, you might want to change the current TLS version if the network devices Cisco DNA Center manages can support TLS version 1.2.

The following example shows how to change from TLS Version 1.1 to 1.2:

Input
$ magctl service tls_version --tls-min-version 1.2 -a assurance-backend collector-iosxe-db
Output
Enabling TLSv1.2 will disable TLSv1.1 and below
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.2 for api-gateway
deployment.apps/collector-iosxe-db patched

Step 6

Enter the following command to enable RC4-SHA on a cluster (not secure; proceed only if needed).

Enabling RC4-SHA ciphers is not supported when TLS Version 1.2 is the minimum version.

The following example shows TLS version 1.2 is not enabled:

Input
$ magctl service ciphers --ciphers-rc4=enable kong
Output
Enabling RC4-SHA cipher will have security risk
Do you want to continue? [y/N]: y
WARNING: Enabling RC4-SHA Cipher for kong
deployment.extensions/kong patched

Step 7

Enter the following command at the prompt to confirm that TLS and RC4-SHA are configured.

The following is an example:

Input
$ magctl service display kong 
Output
      containers:
      - env:
        - name: TLS_V1
          value: "1.1"
        - name: RC4_CIPHERS
          value: "true"

Note

If RC4 and TLS minimum versions are set, they are listed in the env: of the magctl service display kong command. If these values are not set, they do not appear in the env:.

Step 8

To disable the RC4-SHA ciphers that you enabled previously, enter the following command on the cluster:

Input
$ magctl service ciphers --ciphers-rc4=disable kong
Output
WARNING: Disabling RC4-SHA Cipher for kong
deployment.extensions/kong patched

Step 9

Log out of the Cisco DNA Center appliance.

Use of OCSP and CRL for HTTPS Connections by Cisco DNA Center

Cisco DNA Center uses Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) to confirm that a remote certificate is not revoked.

Procedure

Step 1

Cisco DNA Center checks for OCSP. If a valid OCSP URI or URL is present in the Authority Information Access (AIA) field of the certificate, Cisco DNA Center sends an OCSP request to the URI or URL to validate its revocation status.

If the certificate is revoked, Cisco DNA Center terminates the connection and returns an error.
If the certificate is not revoked, proceed with the connection.
If the connection times out, for example, in an air-gapped network, continue with the next step.
If the connection reaches an unauthentic OCSP or CRL responder, Cisco DNA Center terminates the connection and returns an error. If an Man in the Middle (MiTM) web proxy, such as Cisco Web Security appliances (WSA), is used for internet - bound traffic, ensure that it is configured to permit the OCSP and CRL URLs from Cisco DNA Center.

Step 2

Cisco DNA Center checks for CRL. If the certificate includes the CRL Distribute Points field, and that field has at least one entry with a valid CRL URI or URL, Cisco DNA Center downloads the CRL from the URI or URL, and validates the certificate against the downloaded CRL.

If the certificate is revoked, Cisco DNA Center terminates the connection and returns an error.
If the certificate is not revoked, proceed with the connection.
If the connection times out, for example, in an air-gapped network, proceed with the connection, because this is the final check, and there is no way to determine that the certificate is revoked.
If the connection reaches an unauthentic OCSP or CRL responder, Cisco DNA Center terminates the connection and returns an error. If an MiTM web proxy, such as Cisco WSA, is used for internet - bound traffic, ensure that it is configured to permit the OCSP and CRL URLs from Cisco DNA Center.

Note

Cisco DNA Center supports HTTP-type CRL or OCSP, and does not support the use of Lightweight Directory Access Protocol (LDAP) CRL.

For example, while requesting a certificate for the remote system with Microsoft Certification Authority, you can configure the CDP and AIA extensions to add the OCSP or HTTP URL and remove the LDAP CRL. For details, see Configure the CDP and AIA Extensions on CA1.

Manage Credentials and Passwords

Cluster Password

Cisco DNA Center supports cluster formation with three nodes. For efficiency and security, we recommend the following:

The cluster should be created with dedicated separated interfaces for connecting to the enterprise network, forming an intracluster network, and connecting to a dedicated management network.
The intracluster network is created as an isolated Layer 2 segment and not connected or routed through any other network segments.
You should not reuse passwords (Cisco IMC or SSH) across the Cisco DNA Center cluster members.

SSH or Maglev Password Recovery

You must secure the SSH password. Share the SSH password only with the super admin. Cisco DNA Center does not provide the functionality to recover the SSH password.

SSH Account Lockout and Recovery

After six consecutive failed login attempts over SSH, the maglev account will be temporarily locked for five minutes from the time of last failed attempt. During this lockout period, login attempts with the correct password will also fail, and be counted as a failed login. The account will be unlocked for SSH login only after five minutes of no login activity. However, login using the Cisco IMC console will continue to work even during the lockout period. The administrator can enable SSH login during the lockout period, by executing the following command in the Linux shell:

sudo pam_tally2 --reset

Web UI Password Recovery

If a web UI user's password is lost, the password can be reset using the command-line shell, which requires SSH or console access. See "Reset a Forgotten Password" in the Cisco DNA Center Administrator Guide.

Password Encryption

By default, Cisco DNA Center's pluggable authentication module (PAM) uses the SHA-512 hashing algorithm to store and hash local user account passwords (the strongest method available for UNIX-based systems). No user-configurable action is available for Cisco DNA Center’s password encryption mechanism.

Logs and Database Management

System logs are available to the operating system administrator user with escalated privileges (sudo access). The application logs are stored in Elasticsearch, and can be accessed through the web UI after authentication. The databases are protected by credentials, which are randomly generated during installation, and securely passed to the applications that need database access. No user-configurable action is available to change these settings.

Communication Protocol Payload Encryption

In clustered mode, Cisco DNA Center nodes communicate with each other through the intracluster network. No separate encryption is applied to the intracluster traffic. It is important to keep the intracluster network isolated.

Note

Services that exchange sensitive data among themselves use HTTPS.

Change Web UI Users and Linux or Maglev User Password

Security Recommendation: We recommend that you regularly change Cisco DNA Center GUI user passwords and Maglev user password.

Procedure

Step 1

To change the Linux or Maglev user password, do the following:

Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard. The IP address to enter for the SSH client is the IP address that you configured for the network adapter.
When prompted, enter your username and password for SSH access.
Enter the following command:
```
Input
$ sudo maglev-config update
```
The Maglev configuration wizard's welcome screen opens.
Click next>> until you see the User Account Settings wizard screen.
Enter the maglev user's Linux password.

Click next>> until you see the CONFIGURATION SUCCEEDED! message.

Note

For more information, see the "Configure the Appliance Using the Maglev Wizard" chapter in the Cisco DNA Center Second-Generation Appliance Installation Guide.

Step 2

For changing the GUI user password, do the following:

Note that only you can change the password that you enter to log in to Cisco DNA Center. Even a user with administrator privileges cannot change a user's password. If an administrator needs to change a user's password, they must delete and re-add the user, using a new password.

Log in to Cisco DNA Center web UI.
Click the menu icon () and choose System > Users & Roles > Change Password.
Enter information in the required fields and click Update.

Default Certificates

Security Recommendation: We recommend that you change the default Cisco DNA Center TLS certificate with a certificate signed by your internal certificate authority.

By default, Cisco DNA Center uses self-signed certificates. Cisco DNA Center manages the devices using the devices' self-signed certificates, unless otherwise deployed. We strongly recommend that you use a certificate signed by your internal certificate authority during deployment.

Note

Changing the Cisco DNA Center certificate from either self-signed to certificate-signed by your internal CA or from root CA to subordinate CA disrupts network operations. When this happens, network devices need to establish trust with the new CA before connections can be established. The devices will then be automatically reprovisioned with the new CA using device controllability.

Existing connections that have already been established are not impacted. However, if a connection is lost for some reason (such as a power outage or reboot), network devices will need to establish trust with the new CA before connections can be established.

As a result, we strongly recommend that you upgrade certificates before you begin the deployment.

Certificate and Private Key Support

Cisco DNA Center supports the PKI Certificate Management feature, which is used to authenticate sessions (HTTPS). These sessions use commonly recognized trusted agents called CAs. Cisco DNA Center uses the PKI Certificate Management feature to import, store, and manage X.509 certificates from your internal CA. The imported certificate becomes an identity certificate for Cisco DNA Center, and Cisco DNA Center presents this certificate to its clients for authentication. The clients are the northbound API applications and network devices.

You can import the following files (in either PEM or PKCS file format) using the Cisco DNA Center GUI:

X.509 certificate
Private key

Note

For the private key, Cisco DNA Center supports the import of RSA keys. Keep the private key secure in your own key management system. The private key must have a minimum modulus size of 2048 bits.

With Cisco DNA Center 2.3.4.x and earlier, do not import DSA, DH, ECDH, and ECDSA key types, because they are not supported. Cisco DNA Center 2.3.4.x and earlier does not support any form of ECDH and ECDSA, which includes any leaf certificate tied to the certificate chain.

Cisco DNA Center 2.3.5 and later supports all key types.

Prior to import, you must obtain a valid X.509 certificate and private key issued by your internal CA and the certificate must correspond to a private key in your possession. After import, the security functionality based on the X.509 certificate and private key is automatically activated. Cisco DNA Center presents the certificate to any device or application that requests it. Northbound API applications and network devices can use these credentials to establish a trust relationship with Cisco DNA Center.

Note

We recommend that you do not use and import a self-signed certificate to Cisco DNA Center. We recommend that you import a valid X.509 certificate from your internal CA. Additionally, you must replace the self-signed certificate (installed in Cisco DNA Center by default) with a certificate that is signed by your internal CA for the Plug and Play functionality to work correctly.

Cisco DNA Center supports only one imported X.509 certificate and private key at a time. When you import a second certificate and private key, the latter overwrites the first (existing) imported certificate and private key values.

Certificate Chain Support

Cisco DNA Center is able to import certificates and private keys through its GUI. If subordinate certificates are involved in a certificate chain, leading to the certificate that is to be imported into Cisco DNA Center (signed certificate), both the subordinate certificates as well as the root certificate of these subordinate CAs must be appended together into a single file in order to be imported. When appending these certificates, you must append them in the same order as the actual chain of certification.

The following certificates should be pasted together into a single PEM file. Review the certificate subject name and issuer to ensure that the correct certificates are being imported and correct order is maintained. Ensure that all of the certificates in the chain are pasted together.

Signed Cisco DNA Center certificate: Its Subject field includes CN=<FQDN of Cisco DNA Center>, and the issuer has the CN of the issuing authority.

Note

If you install a third-party certificate, ensure that the certificate specifies all of the DNS names (including the Cisco DNA Center FQDN) that are used to access Cisco DNA Center in the alt_names section. For more information, see Step 3 in Generate a Certificate Request Using Open SSL.

Issuing (subordinate) CA certificate that issues the Cisco DNA Center certificate: Its Subject field has CN of the (subordinate) CA that issues the Cisco DNA Center certificate, and the issuer is that of the root CA.
Next issuing (root/subordinate CA) certificate that issues the subordinate CA certificate: Its Subject field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, you must append the next issuer, and so on.

Generate a Certificate Request Using Open SSL

Procedure

Step 1

Use an SSH client to log in to the Cisco DNA Center cluster and create a temporary folder under /home/maglev, for example, by entering the mkdir tls-cert;cd tls-cert command while in the home directory.

Step 2

Before proceeding further, ensure that the Cisco DNA Center hostname (FQDN) is set during Cisco DNA Center configuration by entering the maglev cluster network display command. You must have root privileges to run this command:

Input
$ maglev cluster network display
Output
cluster_network:
	cluster_dns: 169.254.20.10
	cluster_hostname: fqdn.cisco.com

If the cluster_hostname output field is empty or is not what you want, add or change the Cisco DNA Center hostname (FQDN) by entering the sudo maglev-config update command, as shown in the following example. You must have root privileges to run this command.

Input
$ sudo maglev-config update
Output
Maglev config wizard GUI

Click Next until you see the step titled MAGLEV CLUSTER DETAILS containing the input prompt Cluster's hostname. Set the hostname to the desired Cisco DNA Center FQDN. Click Next and Proceed until Cisco DNA Center is reconfigured with the new FQDN.

Step 3

Using a text editor of your choice, create a file named openssl.cnf and upload it to the directory that you created in the preceding step. Use the following example as your guide, but adjust it to fit your deployment:

Adjust default_bits and default_md if your certificate authority admin team requires 2048/sha256 instead.
Specify values for every field in the req_distinguished_name and alt_names sections. The only exception is the OU field, which is optional. Omit the OU field if your certificate authority admin team does not require it.
The emailAddress field is optional; omit it if your certificate authority admin team does not require it.

alt_names section: The certificate configuration requirements vary depending on the Cisco DNA Center version.

Limited support of FQDNs in the Cisco DNA Center certificate is available from Cisco DNA Center 2.1.1 onwards. However, FQDN support in the Cisco DNA Center certificate is not currently available for LAN automation. If you plan to use LAN automation, you cannot use an FQDN-only certificate (even from Cisco DNA Center 2.1.1 onwards).

For Cisco DNA Center versions earlier than 2.1.1 (and if you plan to use LAN automation in Cisco DNA Center versions 2.1.1 and later), you need a certificate with IP addresses defined in the Subject Alternative Name (SAN) field. See, Cisco DNA Center versions earlier than 2.1.1, and Cisco DNA Center versions 2.1.1 onwards if you plan to use LAN automation bullet point mentioned below for guidance regarding the alt_names section in this scenario.

The alt_names section configurations for Cisco DNA Center versions 2.1.1 and later (without LAN automation support) are as follows.

Note

For security reasons, we recommend that you only use FQDNs in the Cisco DNA Center certificate (limited FQDN support is available from Cisco DNA Center 2.1.1 onwards without LAN automation). If you want to use IP addresses instead of FQDNs in the certificate (or need to because you are using LAN automation), complete the steps described in the Cisco DNA Center versions earlier than 2.1.1, and Cisco DNA Center versions 2.1.1 onwards if you plan to use LAN automation bullet point, ensuring that you enter IP addresses in the SAN fields.

Cisco DNA Center versions 2.1.1 and later (without LAN automation support):

Pay close attention to the alt_names section, which must contain all DNS names (including the Cisco DNA Center FQDN) that are used to access Cisco DNA Center, either by a web browser or by an automated process such as PnP or Cisco ISE.

The first DNS entry in the alt_names section should contain Cisco DNA Center's FQDN (DNS.1 = FQDN-of-Cisco-DNA-Center). You cannot add a wildcard DNS entry in place of Cisco DNA Center's FQDN, but you can use a wildcard in subsequent DNS entries in the alt-names section (for PnP and other DNS entries). For example, *.domain.com is a valid entry.

Important

For Cisco DNA Center 2.1.1 and later, FQDN support is not available for LAN automation.
For Cisco DNA Center 2.1.1 and later, if the certificate only contains FQDNs, the DHCP pool on the seed device needs to be edited in order for PnP to work. For guidance, see the following information in Cisco DNA Center User Guide's "Provision Your Network" chapter:
- PnP: At the end of the "DHCP Controller Discovery" topic, see the information that begins with the following text: "If the Cisco DNA Center system certificate has an FQDN-only SAN field....

The alt_names section must contain FQDN-of-Cisco-DNA-Center as a DNS entry, and must match the Cisco DNA Center hostname (FQDN) that is set during Cisco DNA Center configuration through the configuration wizard (in the Cluster's hostname input field).

Cisco DNA Center currently supports only one hostname (FQDN) for all interfaces. If you are using both the management port and the enterprise port in Cisco DNA Center to connect devices to Cisco DNA Center in your network, you must configure the GeoDNS policy such that it resolves to the management IP or virtual IP and enterprise IP/virtual IP for the Cisco DNA Center hostname (FQDN) based on the network from which the DNS query is received. Setting up a GeoDNS policy is not required if you are using only the enterprise port in Cisco DNA Center to connect devices to Cisco DNA Center in your network.

Note

If you have enabled disaster recovery for Cisco DNA Center:

If you are using virtual IPs for Disaster Recovery, you must use the same cluster_hostname, that is, the FQDN for Cisco DNA Center (set in Cisco DNA Center configuration wizard), in both main and recovery clusters. Also, you must configure the GeoDNS policy such that it resolves the disaster recovery management virtual IP and the disaster recovery enterprise virtual IP for the Cisco DNA Center hostname (FQDN), based on the network from which the DNS query is received. Setting up a GeoDNS policy is only required if you are using both the management port and the enterprise port in Cisco DNA Center to connect devices to Cisco DNA Center in your network. Certificate alt_names sections look similar to the following::
```
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center
```
If you are not using virtual IPs for Disaster Recovery, you must use different cluster_hostnames, that is the FQDNs for Cisco DNA Center in an enterprise network (set in Cisco DNA Center configuration wizard), in both the main and recovery clusters. Also, you must configure a GeoDNS policy such that it resolves the disaster recovery management IP and the disaster recovery enterprise IP for the Cisco DNA Center hostname (FQDN) based on the network from which the DNS query is received, for both the main and recovery clusters. Setting up a GeoDNS policy is only required if you are using both the management and the enterprise port in Cisco DNA Center for connecting devices to Cisco DNA Center in your network. Certificate alt_names sections look similar to the following:
```
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center-Main
DNS.2 = FQDN-of-Cisco-DNA-Center-Recovery
```

For more information, see "Implement Disaster Recovery Certificate" in the Cisco DNA Center Administrator Guide.

Cisco DNA Center versions earlier than 2.1.1, and Cisco DNA Center versions 2.1.1 onwards if you plan to use LAN automation:

Pay close attention to the alt_names section, which must contain all the IP addresses and DNS names that are used to access Cisco DNA Center, either by a web browser or by an automated process such as PnP or Cisco ISE. (The following example assumes a three-node Cisco DNA Center cluster. If you have a standalone device, use SANs for only that node and the VIP. If you cluster the device later, you might want to re-create the certificate to include the IP addresses of the new cluster members.)

If a cloud interface is not configured, omit the cloud port fields:
- In the extendedKeyUsage extension, the attributes serverAuth and clientAuth are mandatory. If you omit either attribute, Cisco DNA Center rejects the SSL certificate.
- If you are importing a self-signed certificate (not recommended), it must contain the X.509 Basic Constraints "CA:TRUE" extension, and the keyUsage extension must include keyCertSign.

Example of openssl.cnf (applicable for Cisco DNA Center versions 2.1.1 and later, without LAN automation support)

req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = <two-letter-country-code>
ST = <state-or-province>
L = <city>
O = <company-name>
OU = MyDivision
CN = FQDN-of-Cisco-DNA-Center
emailAddress = responsible-user@mycompany.tld

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
DNS.3 = *.domain.com

Example of openssl.cnf (applicable for Cisco DNA Center versions earlier than 2.1.1, and Cisco DNA Center versions 2.1.1 onwards if you plan to use LAN automation)

req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = <two-letter-country-code>
ST = <state-or-province>
L = <city> O = <company-name>
OU = MyDivision
CN = FQDN-of-Cisco-DNA-Center
emailAddress = responsible-user@mycompany.tld
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
IP.1 = Enterprise port IP node #1
IP.2 = Enterprise port IP node #2
IP.3 = Enterprise port IP node #3
IP.4 = Enterprise port VIP
IP.5 = Cluster port IP node #1
IP.6 = Cluster port IP node #2
IP.7 = Cluster port IP node #3
IP.8 = Cluster port VIP
IP.9 = GUI port IP node #1
IP.10 = GUI port IP node #2
IP.11 = GUI port IP node #3
IP.12 = GUI port VIP
IP.13 = Cloud port IP node #1
IP.14 = Cloud port IP node #2
IP.15 = Cloud port IP node #3
IP.16 = Cloud port VIP

Note

If you don’t include the cluster IP addresses in the openssl.cnf file, you cannot schedule software image activation. To fix this problem, add the cluster IP addresses as SANs to the certificate.

Step 4

Enter the following command to create a private key. Adjust the key length to 2048 if required by your certificate authority admin team.

openssl genrsa -out csr.key 4096

Step 5

After populating the fields in the openssl.cnf file, use the private key that you created in the preceding step to generate the Certificate Signing Request:

openssl req -config openssl.cnf -new -key csr.key -out DNAC.csr

Step 6

Verify the Certificate Signing Request content and ensure that the DNS names (and IP addresses for Cisco DNA Center version earlier than 2.1.1) are populated correctly in the subjectAltName field..

openssl req -text -noout -verify -in DNAC.csr

Step 7

Copy the Certificate Signing Request and paste it to a CA, for example, MS CA:

Ensure that the certificate template you choose is configured for both client and server authentication (as illustrated in the extendedKeyUsage line in Step 2's openssl.cnf file example).

Step 8

Proceed to gather the issued certificate and its issuer CA chain.

Step 9

If the certificate issuer provides the certificate full chain (server and CA) in p7b, do the following:

Download the p7b bundle in DER format and save it as dnac-chain.p7b.
Copy the dnac-chain.p7b certificate to the Cisco DNA Center cluster through SSH.

Enter the following command:

openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs

Step 10

If the certificate issuer provides the certificate and its issuer CA chain in loose files, do the following:

Gather the PEM (base64) files or use openssl to convert DER to PEM.
Concatenate the certificate and its issuer CA, starting with the certificate, followed by the subordinate CA, all the way to the root CA, and output it to dnac-chain.pem file.
```
cat certificate.pem subCA.pem rootCA.pem > dnac-chain.pem
```

Step 11

Copy the dnac-chain.pem file generated in the Cisco DNA Center cluster to your local system.

Step 12

Click the menu icon () and choose System > Settings > System Certificates.

Step 13

Click Replace Certificate.

Step 14

In the Certificate area, click the PEM radio button and perform the following tasks.

In the Certificate area, import the dnac-chain.pem file by dragging and dropping this file into the Drag n' Drop a File Here field.
In the Private Key area, import the private key (csr.key) by dragging and dropping this file into the Drag n' Drop a File Here field.
Choose No from the Encrypted drop-down list for the private key.

Step 15

Click Upload/Activate.

Update the Cisco DNA Center Server Certificate

Cisco DNA Center supports the import and storage of an X.509 certificate and private key into Cisco DNA Center. After import, the certificate and private key can be used to create a secure and trusted environment between Cisco DNA Center, northbound API applications, and network devices.

You can import a certificate and a private key using the Certificates window in the GUI.

Before you begin

You must obtain a valid X.509 certificate that is issued by your internal CA and the certificate must correspond to a private key in your possession.

Procedure

Step 1

Click the menu icon () and choose System > Settings > Trust & Privacy > System Certificates.

Step 2

In the System tab, view the current certificate data.

When you first view this window, the current certificate data that is displayed is the Cisco DNA Center self-signed certificate. The self-signed certificate's expiry is set for several years in the future.

Note

The expiration date and time is displayed as a Greenwich Mean Time (GMT) value. A system notification is displayed in the Cisco DNA Center GUI two months before the certificate expires.

The System tab displays the following fields:

Current Certificate Name: Name of the current certificate.
Issuer: Name of the entity that has signed and issued the certificate.
Authority: Either self-signed or the name of the CA.
Expires: Expiry date of the certificate.

Step 3

In the System Certificates window, click Replace Certificate.

In Cisco DNA Center 2.3.2 and later, you will see the Generate New CSR link if you are generating the CSR for the first time. Otherwise, you will see the Download existing CSR link. You can download the existing CSR and submit it to your provider to generate your certificate. If you don't want to use the existing CSR, click Delete existing CSR and click Accept in the subsequent Confirmation window. You can now see the Generate New CSR link.

Step 4

Click the Generate New CSR link.

Step 5

In the Certificate Signing Request Generator window, provide information in the required fields.

Step 6

Click Generate New CSR.

The generated new CSR is downloaded automatically.

The Certificate Signing window shows the CSR properties and allows you to do the following:

Copy the CSR properties in plain text.
Copy Base64 and paste to MS CA.
Download Base64.

Step 7

(Optional) Check the Use system certificate for Disaster Recovery as well check box if you want to use the same certificate for disaster recovery.

Step 8

Choose the file format type for the certificate that you are importing into Cisco DNA Center:

PEM: Privacy-enhanced mail file format.

PKCS: Public-Key Cryptography Standard file format.

Note

PKCS file type is disabled if you choose the Generate New CSR option to request a certificate.

Step 9

Confirm that the certificate issuer provides the certificate full chain (server and CA) in p7b. When in doubt, do the following to examine and assemble the chain:

Download the p7b bundle in DER format and save it as dnac-chain.p7b.
Copy the dnac-chain.p7b certificate to the Cisco DNA Center cluster through SSH.

Enter the following command:

openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs

Confirm that all certificates are accounted for in the output, with the issuer and Cisco DNA Center certificates included. Continue to upload as PEM. If the certificates are in loose files, complete the next step to download and assemble the individual files.

Step 10

If the certificate issuer provides the certificate and its issuer CA chain in loose files, do the following:

Gather the PEM (base64) files or use openssl to convert DER to PEM.
Concatenate the certificate and its issuer CA, starting with the certificate, followed by subordinate CA, all the way to the root CA, and output it to dnac-chain.pem file.

cat certificate.pem subCA.pem rootCA.pem > dnac-chain.pem
Continue to upload as PEM.

Step 11

For a PEM file, perform the following tasks:

Import the PEM file by dragging and dropping the file into the Drag and Drop area.

Note

A PEM file must have a valid PEM format extension (.pem). The maximum file size for the certificate is 10 MB.

After the upload succeeds, the system certificate is validated.

Import the Private Key by dragging and dropping the file into the Drag and Drop area.

Note

Private keys must have a valid private key format extension (.key). The maximum file size for the private key is 10 MB.

After the upload succeeds, the private key is validated.

Choose the encryption option from the Encrypted area for the private key.
If you choose encryption, enter the password for the private key in the Password field.

Step 12

For a PKCS file, perform the following tasks:

Import the PKCS file by dragging and dropping the file into the Drag and Drop area.

Note

A PKCS file must have a valid PKCS format extension (.pfx or .p12). The maximum file size for the certificate is 10 MB.

After the upload succeeds, the system certificate is validated.

Enter the passphrase for the certificate in the Password field.

Note

For PKCS, the imported certificate also requires a passphrase.

For the Private Key field, choose the encryption option for the private key.
For the Private Key field, if encryption is chosen, enter the password for the private key in the Password field.

Step 13

Click Save.

Note

After the Cisco DNA Center server’s SSL certificate is replaced, you are automatically logged out, and must log in again.

Step 14

Return to the Certificates window to view the updated certificate data.

The information displayed in the System tab should have changed to reflect the new certificate name, issuer, and the certificate authority.

PKI Certificate Authority

Clients looking to establish an HTTPS connection with Cisco DNA Center use its server CA in order to confirm its identity and complete authentication. In addition to the server CA, Cisco DNA Center also makes use of a public key infrastructure (PKI) CA (configured as either a root or subordinate CA) to establish client connections. When used, the PKI CA gives you the option of using a different realm trust (signing CA) than the one associated with Cisco DNA Center’s server CA.

Change the Role of the PKI Certificate from Root to Subordinate

The device PKI CA, a private CA that is provided by Cisco DNA Center, manages the certificates and keys used to establish and secure server-client connections. To change the role of the device PKI CA from a root CA to a subordinate CA, complete the following procedure.

You can change the role of the private (internal) Cisco DNA Center CA from a root CA to a subordinate CA using the PKI Certificate Management window in the GUI. When making this change, do the following:

If you intend to have Cisco DNA Center act as a subordinate CA, it is assumed that you already have a root CA, for example, Microsoft CA, and you are willing to accept Cisco DNA Center as a subordinate CA.
As long as the subordinate CA is not fully configured, Cisco DNA Center continues to operate as an internal root CA.

You must generate a Certificate Signing Request file for Cisco DNA Center (as described in the following procedure) and have it manually signed by your external root CA.

Note

Cisco DNA Center continues to run as an internal root CA during this time period.

After the Certificate Signing Request is signed by the external root CA, this signed file must be imported back into Cisco DNA Center using the GUI (as described in the following procedure).

After the import, Cisco DNA Center initializes itself as the subordinate CA and provides all the existing functionalities of a subordinate CA.
If device controllability is enabled (which is the default) before the switchover from the internal root CA to the subordinate CA, the new device certificate is updated automatically.
The subordinate CA certificate lifetime, as displayed in the GUI, is just read from the certificate; it is not computed against the system time. Therefore, if you install a certificate with a lifespan of 1 year today and look at it in the GUI the same time next year, the GUI will still show that the certificate has a 1-year lifetime.
The subordinate CA certificate must be in PEM or DER format only.
The subordinate CA does not interact with the higher CAs; therefore, it is not aware of revocation, if any, of the certificates at a higher level. Because of this, any information about certificate revocation is also not communicated from the subordinate CA to the network devices. Because the subordinate CA does not have this information, all the network devices use only the subordinate CA as the Cisco Discovery Protocol (CDP) source.

Before you begin

You must have a copy of the root CA certificate.

Procedure

Step 1	Click the menu icon () and choose System > Settings > PKI Certificate.
Step 2	Click the CA Management tab.
Step 3	Review the existing root or subordinate CA certificate configuration information from the GUI: Root CA Certificate: Displays the current root CA certificate (either external or internal). Root CA Certificate Lifetime: Displays the current lifetime value of the current root CA certificate, in days. Current CA Mode: Displays the current CA mode (root CA or subordinate CA). Sub CA Mode: Enables a change from a root CA to a subordinate CA.
Step 4	In the CA Management tab, check the Sub CA Mode check box.
Step 5	Click Next.
Step 6	Review the warnings that are displayed: For example, Changing from root CA to subordinate CA is a process that cannot be reversed. You must ensure that no network devices have been enrolled or issued a certificate in root CA mode. Network devices that have been accidentally enrolled in root CA mode must be revoked before changing from root CA to subordinate CA. Network devices must come online only after the subordinate CA configuration process finishes.
Step 7	Click OK to proceed. The PKI Certificate Management window displays the Import External Root CA Certificate field.
Step 8	Drag and drop your root CA certificate into the Import External Root CA Certificate field and click Upload. The root CA certificate is uploaded into Cisco DNA Center and used to generate a Certificate Signing Request. After the upload process finishes, a `Certificate Uploaded Successfully` message is displayed.
Step 9	Click Next. Cisco DNA Center generates and displays the Certificate Signing Request.
Step 10	View the Cisco DNA Center-generated Certificate Signing Request in the GUI and perform one of the following actions: Click the Download link to download a local copy of the Certificate Signing Request file. You can then attach this Certificate Signing Request file to an email to send to your root CA. Click the Copy to the Clipboard link to copy the Certificate Signing Request file's content. You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.
Step 11	Send the Certificate Signing Request file to your root CA. Your root CA will then return a subordinate CA file, which you must import back into Cisco DNA Center.
Step 12	After receiving the subordinate CA file from your root CA, access the Cisco DNA Center GUI again and return to the PKI Certificate Management window.
Step 13	Click the CA Management tab.
Step 14	Click Yes for the Change CA mode button. After clicking Yes, the GUI view with the Certificate Signing Request is displayed.
Step 15	Click Next. The PKI Certificate Management window displays the Import Sub CA Certificate field.
Step 16	Drag and drop your subordinate CA certificate into the Import Sub CA Certificate field and click Apply. The subordinate CA certificate is uploaded into Cisco DNA Center. After the upload finishes, the GUI displays the subordinate CA mode under the CA Management tab.
Step 17	Review the fields under the CA Management tab: Sub CA Certificate: Displays the current subordinate CA certificate. External Root CA Certificate: Displays the root CA certificate. Sub CA Certificate Lifetime: Displays the lifetime value of the subordinate CA certificate, in days. Current CA Mode: Displays SubCA mode.

Provision a Rollover Subordinate CA Certificate

Cisco DNA Center lets you apply a subordinate certificate as a rollover subordinate CA when 70 percent of the existing subordinate CA lifetime has elapsed.

Before you begin

To initiate subordinate CA rollover provisioning, you must have changed the PKI certificate role to subordinate CA mode. See Change the Role of the PKI Certificate from Root to Subordinate.
70 percent or more of the lifetime of the current subordinate CA certificate must have expired. When this occurs, Cisco DNA Center displays a Renew button under the CA Management tab.
You must have a signed copy of the rollover subordinate CA PKI certificate.

Procedure

Step 1	Click the menu icon () and choose System > Settings > Trust & Privacy > PKI Certificate.
Step 2	Click the CA Management tab.
Step 3	Review the CA certificate configuration information: Subordinate CA Certificate: Displays the current subordinate CA certificate. External Root CA Certificate: Displays the root CA certificate. Subordinate CA Certificate Lifetime: Displays the lifetime value of the current subordinate CA certificate, in days. Current CA Mode: Displays SubCA mode.
Step 4	Click Renew. Cisco DNA Center uses the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request.
Step 5	View the generated Certificate Signing Request in the GUI and perform one of the following actions: Click the Download link to download a local copy of the Certificate Signing Request file. You can then attach this Certificate Signing Request file to an email to send it to your root CA. Click the Copy to the Clipboard link to copy the content of the Certificate Signing Request file. You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.
Step 6	Send the Certificate Signing Request file to your root CA. Your root CA will then return a rollover subordinate CA file that you must import back into Cisco DNA Center. The Certificate Signing Request for the subordinate CA rollover must be signed by the same root CA who signed the subordinate CA you imported when you switched from RootCA mode to SubCA mode.
Step 7	After receiving the rollover subordinate CA file from your root CA, return to the PKI Certificate Management window.
Step 8	Click the CA Management tab.
Step 9	Click Next in the GUI in which the Certificate Signing Request is displayed. The PKI Certificate Management window displays the Import Sub CA Certificate field.
Step 10	Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Apply. The rollover subordinate CA certificate is uploaded into Cisco DNA Center. After the upload finishes, the GUI changes to disable the Renew button under the CA Management tab.

Configure the Device Certificate Lifetime

Cisco DNA Center lets you change the certificate lifetime of network devices that are managed and monitored by the private (internal) Cisco DNA Center CA. The Cisco DNA Center default value for the certificate lifetime is 365 days. After the certificate lifetime value is changed using the Cisco DNA Center GUI, network devices that subsequently request a certificate from Cisco DNA Center are assigned this lifetime value.

Note

The device certificate lifetime value cannot exceed the CA certificate lifetime value. Additionally, if the remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device gets a certificate lifetime value that is equal to the remaining CA certificate lifetime.

Procedure

Step 1	Click the menu icon () and choose System > Settings > Trust & Privacy > Device Certificate.
Step 2	Review the device certificate and the current device certificate lifetime.
Step 3	In the Device Certificate window, click Modify.
Step 4	In the Device Certificate Lifetime dialog box, enter a new value, in days.
Step 5	Click Save.

Cisco DNA Center Trustpool Support

Cisco DNA Center and Cisco IOS devices support a special PKI certificate store known as trustpool. The trustpool holds X.509 certificates that identify trusted CAs. Cisco DNA Center and the devices in the network use the trustpool bundle to manage trust relationships with each other and with these CAs. Cisco DNA Center manages this PKI certificate store, and an administrator (ROLE_ADMIN) has the ability to update it through the Cisco DNA Center GUI when the certificates in the pool are due to expire, are reissued, or must be changed for other reasons.

Note

Cisco DNA Center also uses the trustpool functionality to determine whether any certificate file that is uploaded through its GUI is a valid trustpool CA-signed certificate.

Cisco DNA Center contains a preinstalled, default Cisco-signed trustpool bundle named ios.p7b. This trustpool bundle is trusted by supported Cisco network devices natively, because it is signed with a Cisco digital signing certificate. This trustpool bundle is critical for the Cisco network devices to establish trust with services and applications that are genuine. This Cisco PKI trustpool bundle file is available at https://www.cisco.com/security/pki/.

To access the Cisco DNA Center PnP functionality, the supported Cisco devices that are being managed and monitored by Cisco DNA Center should import the Cisco PKI trustpool bundle file. When the supported Cisco devices boot for the first time, they contact Cisco DNA Center to import this file.

The Cisco DNA Center trustpool management feature operates in the following manner:

You boot the Cisco devices that support the PnP functionality within your network.

Note that not all Cisco devices support PnP. See the Cisco DNA Center Compatibility Matrix for a list of supported Cisco devices.
As part of the initial PnP flow, the supported Cisco devices download a trustpool bundle directly from Cisco DNA Center using HTTP.

The Cisco devices are now ready to interact with Cisco DNA Center to obtain further device configuration and provisioning according to the PnP traffic flows.

Note that if an HTTP proxy gateway exists between Cisco DNA Center and these Cisco devices, you must import the proxy gateway certificate into Cisco DNA Center.

Note

At times, you might need to update the trustpool bundle to a newer version due to some certificates in the trustpool expiring, being reissued, or for other reasons. Whenever the trustpool bundle needs to be updated, update it by using the Cisco DNA Center GUI. Cisco DNA Center can access the Cisco cloud (where the Cisco-approved trustpool bundles are located) and download the latest trustpool bundle. After download, Cisco DNA Center then overwrites the current or older trustpool bundle file. As a best practice, update the trustpool bundle before importing a new certificate from a CA.

Check the Certificate on the PnP Server

This section explains how to check the certificate on the PnP agent of Cisco IOS and Cisco IOS XE devices during a zero-touch deployment.

The certificate provided by the PnP server must contain a valid Subject Alternative Name (SAN) field to verify the server identity.

The check is applied to the server's DNS name or the IP address that is used in the PnP profile settings:

pnp profile SOME_NAME
transport https ipv4 IP_ADDRESS port 443

pnp profile SOME_NAME
transport https host DNS_NAME port 443

The enforcement is applied by comparing the SAN field of the certificate to the value used in the PnP profile that is configured on the device.

The following table summarizes the enforcement applied:


PnP Profile Configuration	Certificate Enforcement
DHCP Option-43 or Option-17 discovery of the PnP server using an explicit IPv4 or IPv6 address	The SAN field of the server certificate must contain the explicit IPv4 or IPv6 address used in Option-43 or Option-17.
DHCP Option-43 or Option-17 discovery of the PnP server using a DNS name	The SAN field of the server certificate must contain the specific DNS name.
DNS discovery of the PnP server	The SAN field of the server certificate must contain pnpserver.`<local-domain>`.
Cisco.com discovery of the PnP Server	One of the following conditions is applicable: The SAN field of the server certificate must contain the explicit IP address if an IP address is used in the cloud redirection profile configuration. The SAN field of the server certificate must contain the specific DNS name if a DNS name is used in the cloud redirection profile configuration.
Day-2 (manual configuration) PnP profile creation	The SAN field of the server certificate must contain either the IP address or the DNS name that is used in the PnP profile configuration.

We recommend that you use a discovery method based on the DNS name because the functionality is not affected by changes to the IP address.

Procedure

Step 1	Use the PnP server logs to diagnose the problem. Check whether the HTTPS connection is established with the device after the trustpoint is installed on the device. The PnP server logs show that the device moves from the CERTIFICATE_INSTALL_REQUESTED stage to the FILESYSTEM_INFO_REQUESTED stage, but no further progress is made. For example: `2018-11-28 12:05:40,711 \| INFO \| qtp226594800-88458 \| \| com.cisco.enc.pnp.state.ZtdState \| Device state has changed from CERTIFICATE_INSTALL_REQUESTED to FILESYSTEM_INFO_REQUESTED \| sn=SOME_SN, address=SOME_IP` Thereafter, PnP provisioning fails with an error that is similar to the following: `2018-11-28 12:25:56,289 \| ERROR \| eHealthCheckFirstBucket-2 \| \| c.c.e.z.impl.ZtdHistoryServiceImpl \| Failed health check since device is stuck in non-terminal state FILESYSTEM_INFO_REQUESTED for more than threshold time: 0 hours, 16 minutes, 0 seconds \| sn=SOME_SN`
Step 2	For device-side debugging, use the following recommended outputs to determine whether the issue is related to the server ID check: `debug crypto pki val debug crypto pki api debug crypto pki call debug crypto pki tr debug ssl openssl error debug ssl openssl msg debug ssl openssl state debug ssl openssl ext show crypto pki certificate show running show pnp tech`
Step 3	Enable debugging before you initiate a PnP discovery.
Step 4	Check the server certificate's SAN field by entering the following command from the CLI of a Linux workstation or a Mac terminal. Be sure to replace `SERVER_IP` with your Cisco DNA Center cluster address. `echo \| openssl s_client -showcerts -servername SERVER_IP -connect SERVER_IP:443 2>/dev/null \| openssl x509 -inform pem -noout -text`
Step 5	In the output, pay close attention to the X509v3 extensions, especially the X509v3 Subject Alternative Name, which is the field that must be matched against the PnP server details. The output is similar to the following: [username@toolkit ~]$ echo \| openssl s_client -showcerts -servername SERVER_IP -connect SERVER_IP:443 2>/dev/null \| openssl x509 -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 18:92:63:49:41:36:99:43:00:57:43:86:06:10:44:57:32:48:65:00 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=e328c7fc-3495-4bc1-81a4-66a31d0507f6, C=US, ST=California, L=SanJose, OU=DNAC, O=Cisco Validity Not Before: Aug 24 05:55:29 2017 GMT Not After : Aug 23 05:55:29 2022 GMT Subject: CN=SERVER_IP, ST=California, C=US, O=Cisco, OU=DNAC Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a2:21:ba:52:b4:9e:50:02:c0:68:2e:b3:43:0a: <snip> 9e:1b:ef:19:96:f9:2b:e3:6a:58:05:b3:c5:b3:d3: 24:ab Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: IP Address:SERVER_IP
Step 6	Depending on the type of certificate you are using, do one of the following: If you are using a signed certificate, generate a new Certificate Signing Request that is signed by the CA, including the appropriate SAN field. See Update the Cisco DNA Center Server Certificate. If you are using a self-signed certificate (not recommended), see Generate a Certificate Request Using Open SSL.

Certificates for Systems that Peer with Cisco DNA Center

When setting up a certificate for an external system that Cisco DNA Center communicates with (such as Cisco ISE, IPAM, vManage, or Stealthwatch Security Analytics), ensure that the HTTP-type CRL distribution point is supported and is placed before LDAP (if multiple distribution points with LDAP are present) for the system's certificates.

If you don't place the CRL distribution point before LDAP, authentication with the external system might fail for LDAP-type CRL entries.

Disable SFTP Compatibility Mode

SSH File Transfer Protocol (SFTP) Compatibility mode allows legacy network devices to connect to Cisco DNA Center using older cipher suites that are not secure. By default, SFTP Compatibility mode is enabled for new Cisco DNA Center deployments.

If your network does not have legacy devices, we recommend that you disable SFTP Compatibility mode during initial cluster configuration.
If your network does have legacy devices, we recommend that you enable SFTP Compatibility mode for a maximum of three days, which should be enough time to complete provisioning tasks.

Complete the procedure that's specific to your Cisco DNA Center version.

Newer Cisco DNA Center Versions

If you are running Cisco DNA Center 2.1.2.0 or later, complete the following procedure to enable or disable SFTP Compatibility mode:

Procedure

Step 1	Click the menu icon () and choose System > Settings > Device Settings > Image Distribution Servers.
Step 2	In the Host column, locate the relevant server and click the corresponding i icon. A message appears, indicating whether SFTP Compatibility mode is currently enabled or disabled on that server.
Step 3	If necessary, click the link provided in the message to enable or disable this mode.

Older Cisco DNA Center Versions

If you are running Cisco DNA Center 1.3.3.0 or earlier, complete the following procedure to enable or disable SFTP Compatibility mode:

Procedure

Step 1	Log in to Cisco DNA Center.
Step 2	From the home page, choose > System Settings > Settings > SFTP.
Step 3	Check the Compatibility mode check box to enable this mode. (Uncheck the check box to disable it.)
Step 4	Click Apply.

Browser-Based Appliance Configuration Wizard

In addition to the appliance configuration wizard that has been available since its first release, Cisco DNA Center also provides a browser-based appliance configuration wizard. See the following topics for a description of how to disable or re-enable this wizard.

Disable the Wizard

A self-signed certificate is provided with your Cisco DNA Center appliance. If your production environment doesn't allow the use of self-signed certificates, we recommend that you shut down the service associated with the browser-based appliance configuration wizard. Complete the following procedure right after using the wizard to configure your appliance.

Note

Only users with root privileges can complete this procedure.

Procedure

Step 1	In an SSH client, log in to your Cisco DNA Center appliance using the IP address that you entered during configuration. When prompted, enter your username and password.
Step 2	(Optional) To view usage information for the commands that you should run in order to disable or re-enable the browser-based appliance configuration wizard, run the maglev-config webinstall command. The following output is displayed: `Usage: maglev-config webinstall [OPTIONS] COMMAND [ARGS]... Enable/Disable Maglev web install feature Options: --help Show this message and exit. Commands: disable Stops and disables Maglev webinstall service... enable Enables Maglev webinstall feature service`
Step 3	Disable the browser-based configuration wizard by running the maglev-config webinstall disable command. After the operation is completed, you will see the following message: `Maglev Web install feature disabled`

Re-enable the Wizard

If the browser-based configuration wizard is currently disabled on an appliance, re-enable it before you complete the following tasks:

Add nodes to a three-node Cisco DNA Center cluster on which you plan to enable high availability (HA).
Remove a node from a three-node cluster that has HA enabled, and replace it with a new node. In this case, ensure that the browser-based configuration wizard is enabled on at least one of the other two cluster nodes.

Note

Only users with root privileges can complete this procedure.

Procedure

Step 1	In an SSH client, log in to your Cisco DNA Center appliance using the IP address that you entered during configuration. When prompted, enter your username and password.
Step 2	Re-enable the wizard by running the maglev-config webinstall enable command. After the operation is completed, you will see the following message: `Maglev Web install feature enabled`

Upgrade Legacy Devices

If you have legacy network devices, you must upgrade them to the latest device software:

To view the software versions that Cisco SD-Access supports, see the Cisco SD-Access Compatibility Matrix.
To view general device support information for Cisco DNA Center, see the Cisco DNA Center Compatibility Matrix.

Some devices, such as Cisco Aironet 1800 Series Access Points Version 8.5, use TLSV1, which is not secure. You must upgrade the device software version to 8.8 to upgrade the TLS version.

Secure Network Data

Cisco DNA Center lets you use the Data Anonymization feature to hide the identity of wired and wireless end clients in the Cisco DNA Assurance dashboard. For details, see "View or Update Collector Configuration Information" in the Cisco DNA Assurance User Guide.

Syslog Management

Cisco DNA Center protects syslogs for user-sensitive data such as username, password, IP address, and so on.

View Audit Logs

Audit logs capture information about the various applications running on Cisco DNA Center. Audit logs also capture information about device public key infrastructure (PKI) notifications. The information in these audit logs can be used to help in troubleshooting issues, if any, involving the applications or the device PKI certificates.

Audit logs also record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system get logged in separate log files for auditing.

Procedure

Step 1

Click the menu icon () and choose Activities > Audit Logs.

The Audit Logs window opens, where you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on Cisco DNA Center.

Step 2

Click the timeline slider to specify the time range of data you want displayed on the window:

In the Time Range area, choose a time range—Last 2 Weeks, Last 7 Days, Last 24 Hours, or Last 3 Hours.
To specify a custom range, click By Date and specify the start and end date and time.
Click Apply.

Step 3

Click the arrow next to an audit log to view the corresponding child audit logs.

Each audit log can be a parent to several child audit logs. By clicking the arrow, you can view a series of additional child audit logs.

Note

An audit log captures data about a task performed by Cisco DNA Center. Child audit logs are subtasks to a task performed by Cisco DNA Center.

Step 4

(Optional) From the list of audit logs in the left pane, click a specific audit log message. In the right pane, click Event ID > Copy Event ID to Clipboard. With the copied ID, you can use the API to retrieve the audit log message based on the event ID.

The audit log displays the Description, User, Interface, and Destination of each policy in the right pane.

Note

The audit log displays northbound operation details such as POST, DELETE, and PUT with payload information, and southbound operation details such as the configuration pushed to a device. For detailed information about the APIs on Cisco DevNet, see Cisco DNA Center Platform Intent APIs.

Step 5

(Optional) Click Filter to filter the log by User ID, Log ID, or Description.

Step 6

Click Subscribe to subscribe to the audit log events.

A list of syslog servers is displayed.

Step 7

Check the syslog server check box that you want to subscribe to and click Save.

Note

Uncheck the syslog server check box to unsubscribe from the audit log events and click Save.

Step 8

In the right pane, use the Search field to search for specific text in the log message.

Step 9

Click the menu icon () and choose Activities > Scheduled Tasks to view the upcoming, in-progress, completed, and failed administrative tasks, such as operating system updates or device replacements.

Step 10

Click the menu icon () and choose Activities > Work Items tab to view the in-progress, completed, and failed work items.

Export Audit Logs to Syslog Servers

Security Recommendation: We strongly encourage you to export audit logs from Cisco DNA Center to a remote syslog server in your network, for more secure and easier log monitoring.

You can export the audit logs from Cisco DNA Center to multiple syslog servers by subscribing to them.

Before you begin

You must configure the syslog servers in the System > Settings > External Services > Destinations > Syslog area.

Procedure

Step 1	Click the menu icon () and choose Activities > Audit Logs.
Step 2	Click Subscribe.
Step 3	Select the syslog servers that you want to subscribe to and click Save.
Step 4	(Optional) To unsubscribe, deselect the syslog servers and click Save.

View Audit Logs in Syslog Server Using APIs

With the Cisco DNA Center platform, you can use APIs to view audit logs in syslog servers. Using the Create Syslog Event Subscription API from the Developer Toolkit, you must create a syslog subscription for audit log events.

Whenever an audit log event occurs, the syslog server lists the audit log events.

View Security Advisories Report

Cisco DNA Center provides the functionality to create a Security Advisory report that scans your Cisco network devices for relevant security advisories, and contains information about publicly reported vulnerabilities.

Security Recommendation: We strongly encourage you to periodically review and run this report to understand the impact of published Cisco security advisories that may affect your network, and take appropriate actions, if necessary.

The Security Advisories report displays device data and related advisory data such as—Device Name, IP Address, Device Type, Serial Number, Image Version, Site, Advisory ID, CVSS Score, and Impact.

Note

Each row in the report is a unique match of device and advisory because there can be a one-to-many relationship between devices and advisories.
Devices that were not scanned are included in the report and labeled as not scanned.
Devices that were scanned and have no advisories are labeled as no advisories found.

For detailed information and instructions on how to run the security advisories report, see the section "Run a Security Advisories Report" in the Cisco DNA Center Platform User Guide.

Cisco DNA Center Security Best Practices Guide

Available Languages

Download Options

Bias-Free Language

Security Hardening Overview

Cisco DNA Center Hardening Steps

User Role Considerations

Secure Your Cisco DNA Center Deployment

Communication Ports

Enable Cisco DNA Center Disaster Recovery

Disaster Recovery Ports

Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names

Secure the Management Interface

Rate Limit IP Traffic to an Interface

Before you begin

Procedure

Change the Minimum TLS Version and Enable RC4-SHA (Not Secure)

Before you begin

Procedure

Use of OCSP and CRL for HTTPS Connections by Cisco DNA Center

Procedure

Manage Credentials and Passwords

Change Web UI Users and Linux or Maglev User Password

Procedure

Default Certificates

Certificate and Private Key Support

Certificate Chain Support

Generate a Certificate Request Using Open SSL

Procedure

Update the Cisco DNA Center Server Certificate

Before you begin

Procedure

PKI Certificate Authority

Change the Role of the PKI Certificate from Root to Subordinate

Before you begin

Procedure

Provision a Rollover Subordinate CA Certificate

Before you begin

Procedure

Configure the Device Certificate Lifetime

Procedure

Cisco DNA Center Trustpool Support

Check the Certificate on the PnP Server

Procedure

Certificates for Systems that Peer with Cisco DNA Center

Disable SFTP Compatibility Mode

Newer Cisco DNA Center Versions

Procedure

Older Cisco DNA Center Versions

Procedure

Browser-Based Appliance Configuration Wizard

Disable the Wizard

Procedure

Re-enable the Wizard

Procedure

Upgrade Legacy Devices

Secure Network Data

Syslog Management

View Audit Logs

Procedure

Export Audit Logs to Syslog Servers

Before you begin

Procedure

View Audit Logs in Syslog Server Using APIs

View Security Advisories Report

Was this Document Helpful?

Contact Cisco

This Document Applies to These Products