Cisco DNA Center Security Best Practices Guide

Cisco DNA Center Hardening Steps

Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices that it monitors and manages. You must clearly understand and configure the security features correctly. We strongly recommend that you follow these security recommendations:

Deploy Cisco DNA Center in a private internal network and behind a firewall that does not expose Cisco DNA Center to an untrusted network, such as the internet.
If you have separate management and enterprise networks, connect Cisco DNA Center's management and enterprise interfaces to your management and enterprise networks, respectively. Doing so ensures network isolation between services used to administer and manage Cisco DNA Center and services used to communicate with and manage your network devices.
If deploying Cisco DNA Center in a three-node cluster setup, verify that the cluster interfaces are connected in an isolated network.
Upgrade Cisco DNA Center with critical upgrades, including security patches, as soon as possible after a patch announcement. For more information, see the Cisco DNA Center Upgrade Guide.
Restrict the remote URLs accessed by Cisco DNA Center using an HTTPS proxy server. Cisco DNA Center is configured to access the internet to download software updates, licenses, and device software, as well as provide up-to-date map information, user feedback, and so on. Providing internet connections for these purposes is a mandatory requirement. However, provide connections securely through an HTTPS proxy server. For more information, see Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names.
Restrict the ingress and egress management and enterprise network connections to and from Cisco DNA Center using a firewall, by only allowing known IP addresses and ranges and blocking network connections to unused ports. For more information, see Communication Ports.
Replace the self-signed server certificate from Cisco DNA Center with the certificate signed by your internal certificate authority (CA).
If possible in your network environment, disable SFTP Compatibility Mode. This mode allows legacy network devices to connect to Cisco DNA Center using older cipher suites. For more information, see Disable SFTP Compatibility Mode.
Disable the browser-based appliance configuration wizard, which comes with a self-signed certificate. For more information, see Browser-Based Appliance Configuration Wizard.
Upgrade the minimum TLS version. Cisco DNA Center comes with TLSv1.1 and TLSv1.2 enabled by default, and we recommend that you set the minimum TLS version to 1.2 if possible in your network environment. For more information, see Change the Minimum TLS Version and Enable RC4-SHA (Not Secure).

User Role Considerations

Users are assigned roles that control access to the functions that they are permitted to perform.

Cisco DNA Center supports the following user roles. For more information, see "About User Roles" and "Create Local Users" in the Cisco DNA Center Administrator Guide.

Administrator (SUPER-ADMIN-ROLE): Users with this role have full access to all Cisco DNA Center functions. They can create other user profiles with various roles, including those with the SUPER-ADMIN-ROLE. Restrict the number of users with this role.
Network Administrator (NETWORK-ADMIN-ROLE): Users with this role have full access to all of the network-related Cisco DNA Center functions. However, they do not have access to system-related functions, such as backup and restore.
Observer (OBSERVER-ROLE): Users with this role have view-only access to Cisco DNA Center functions. Users with an observer role cannot access any functions that configure or control Cisco DNA Center or the devices it manages.

In addition to the above pre-configured user roles, Cisco DNA Center also supports creating user roles with a custom fine-grained access policy, which allows creating custom roles to permit or restrict user access to certain Cisco DNA Center functions. For more information, see "Configure Role Based Access Control' in the Cisco DNA Center Administrator Guide.

Note

We strongly recommend that you restrict the number of users with the Administrator role because administrators have control over the configuration of critical functions.

Cisco DNA Center can use Cisco Identity Services Engine (ISE) or other authentication, authorization, and accounting (AAA) servers for user authentication. For more information, see "Configure Authentication and Policy Servers" in the Cisco DNA Center Administrator Guide.

Secure Your Cisco DNA Center Deployment

Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices that it monitors and manages. We strongly recommend that you place Cisco DNA Center and Cisco ISE behind a firewall in either a local data center (head of campus) or remote data center as shown here.

To access Cisco DNA Center through the web GUI and to enable Cisco DNA Center to interact with network devices, specific ports must be configured on the firewall. Cisco DNA Center integrates with the cloud and is distributed across the globe for practical latency requirements.

Communication Ports

Security Recommendations:

Deploy a firewall between Cisco DNA Center and the management or enterprise network for a defense in depth approach to secure the Cisco DNA Center deployment.
Open the ports with specific IP addresses/ranges.

The following table lists the ports that Cisco DNA Center uses, the names of the services communicating over these ports, and the product’s purpose in using them. The Recommended Action column indicates whether you can restrict network traffic to known IP addresses or ranges, or block network connections to or from a Cisco DNA Center port or service without affecting the functionality of Cisco DNA Center, or whether you must leave the port open.

Some destination ports in Cisco DNA Center are duplicated. The subsections call out the usage and related network service. You can limit the source or destination IP addresses or ranges in the firewall rules or choose not to open the port entirely if the service is not used in your Cisco DNA Center deployment.

Port(s)

Service Name

Purpose

Recommended Action

Administering/Configuring Cisco DNA Center

TCP 443

UI, REST, HTTPS

Web UI, REST, HTTPS management port.

Port must be open.

TCP 2222

Cisco DNA Center shell

Connect to the Cisco DNA Center shell.

Port must be open. Restrict the known IP address to be the source.

TCP 9004

Web UI installation

Serves the web-UI based installation page (only needed if you choose to install Cisco DNA Center via the web-based option).

Port must be open until installation of the node is complete.

TCP 9005

Web UI installation API service

Serves the API for the web-based installation (connected by the browser client from port 9004; no external agent requires access).

Port must be open until the cluster formation is complete.

Cisco DNA Center Outbound to Device/Other Systems

—

ICMP

Cisco DNA Center uses ICMP messages to discover network devices and troubleshoot network connectivity issues.

Enable ICMP.

TCP 22

SSH

Cisco DNA Center uses SSH to connect to network devices so that it can:

Read the device configuration for discovery.
Make configuration changes.

Cisco DNA Center also uses SSH to connect to and complete initial integration with Cisco Identity Services Engine.

SSH must be open between Cisco DNA Center and:

The managed network
Cisco Identity Services Engine

TCP 23

Telnet

We strongly discourage the use of Telnet.

Although Telnet is discouraged, Cisco DNA Center can use Telnet to connect to devices in order to read the device configuration for discovery, and make configuration changes.

Telnet can be used for device management, but we do not recommend it because Telnet does not offer security mechanisms like SSH.

TCP 49

TACACS+

Only needed if you are using external authentication such as Cisco Identity Services Engine with a TACACS+ server.

Port must be open only if you are using external authentication with a TACACS+ server.

UDP 53

DNS

Cisco DNA Center uses DNS to resolve hostnames.

Port must be open for DNS hostname resolution.

UDP 123

NTP

Cisco DNA Center uses NTP to synchronize the time from the source that you specify.

Port must be open for time synchronization.

UDP 161

SNMP

Cisco DNA Center uses SNMP to discover network devices; to read device inventory details, including device type; and for telemetry data purposes, including CPU and RAM.

Port must be open for network device management and discovery.

TCP 443

HTTPS

Used for cloud-tethered upgrades.

Port must be open for cloud tethering, telemetry, and software upgrades.

TCP 830

NETCONF

Cisco DNA Center can use NETCONF for device inventory, discovery, and configuration.

Port must be open for network device management and discovery of devices that support NETCONF.

UDP 1645 or 1812

RADIUS

Only needed if you are using external authentication with a RADIUS server.

Port must be open only if an external RADIUS server is used to authenticate user login to Cisco DNA Center.

TCP 5222, 8910

Cisco ISE

Cisco ISE XMP for PxGrid.

Port must be open for Cisco ISE.

TCP 9060

Cisco ISE

Cisco ISE ERS API traffic.

Port must be open for Cisco ISE.

Device to Cisco DNA Center

—

ICMP

Devices use ICMP messages to communicate network connectivity issues.

Enable ICMP.

TCP 22, 80, 443

HTTPS, SFTP, HTTP

Software image download from Cisco DNA Center through HTTPS:443, SFTP:22, HTTP:80.

Certificate download from Cisco DNA Center through HTTPS:443, HTTP:80 (Cisco 9800 Wireless Controller, PnP), Sensor/Telemetry.

Note

Block port 80 if you don't use Plug and Play (PnP), Software Image Management (SWIM), Embedded Event Management (EEM), device enrollment, and Cisco 9800 Wireless Controller.

Ensure that firewall rules limit the source IP of hosts or network devices allowed to access Cisco DNA Center on these ports.

Note

We do not recommend the use of HTTP 80. Use HTTPS 443 wherever possible.

UDP 123

NTP

Devices use NTP for time synchronization.

Port must be open to allow devices to synchronize the time.

UDP 162

SNMP

Cisco DNA Center receives SNMP network telemetry from devices.

Port must be open for data analytics based on SNMP.

UDP 514

Syslog

Cisco DNA Center receives syslog messages from devices.

Port must be open for data analytics based on syslog.

UDP 6007

NetFlow

Cisco DNA Center receives NetFlow network telemetry from devices.

Port must be open for data analytics based on NetFlow.

TCP 9991

Wide Area Bonjour Service

Cisco DNA Center receives multicast Domain Name System (mDNS) traffic from the Service Discovery Gateway (SDG) agents using the Bonjour Control Protocol.

Port must be open on Cisco DNA Center if the Bonjour application is installed.

UDP 21730

Application Visibility Service

Application Visibility Service CBAR device communication.

Port must be open when CBAR is enabled on a network device.

TCP 25103

Cisco 9800 Wireless Controller and Cisco Catalyst 9000 switches with streaming telemetry enabled

Used for telemetry.

Port must be open for telemetry connections between Cisco DNA Center and Catalyst 9000 devices.

TCP 32626

Intelligent Capture (gRPC) collector

Used for receiving traffic statistics and packet capture data used by the Cisco DNA Assurance Intelligent Capture (gRPC) feature.

Port must be open if you are using the Cisco DNA Assurance Intelligent Capture (gRPC) feature.

Administering/Configuring Cisco DNA Center Witness (for Disaster Recovery)

TCP 2222

Cisco DNA Center

Witness shell (Disaster Recovery)

Connect to the Cisco DNA Center Witness shell.

Port must be open if you are using Cisco DNA Center Disaster Recovery Application and haveCisco DNA Center Witness deployed. Restrict the known IP address to the source.

Cisco DNA Center Cluster to Cisco DNA Center Cluster (for Disaster Recovery)

TCP/UDP 8300 - 8301

TCP 8443

TCP 31000, 31001, 31002, 31003, 31004

Disaster Recovery

Cisco DNA Center uses Disaster Recovery service to replicate cluster state to a passive connected cluster, and recover from a cluster failure scenario by handing-off network management duties to the connected cluster.

Port must be open if you are using Cisco DNA Center Disaster Recovery Application.

UDP 500, 4500

Disaster Recovery (for IPSEC tunnel)

Cisco DNA Center's Disaster Recovery service uses IPSEC tunnels for transfer of data between Active Cluster, Passive Cluster, and Witness system.

Port must be open if you are using Cisco DNA Center Disaster Recovery Application.

Cisco DNA Center Witness to Cisco DNA Center Cluster (for Disaster Recovery)

TCP/UDP 8300 - 8301

TCP 8443

TCP 443

Disaster Recovery

Cisco DNA Center uses Disaster Recovery service to replicate cluster state to a passive connected cluster, and recover from a cluster failure scenario by handing-off network management duties to the connected cluster

Port must be open if you are using Cisco DNA Center Disaster Recovery Application.

UDP 500, 4500

Disaster Recovery (for IPSEC tunnel)

Cisco DNA Center's Disaster Recovery service uses IPSEC tunnels for transfer of data between Active Cluster, Passive Cluster, and Witness system

Port must be open if you are using Cisco DNA Center Disaster Recovery Application.

Enable Cisco DNA Center Disaster Recovery

Cisco DNA Center provides a mechanism to recover from a Cisco DNA Center cluster loss (or a data center loss) and maintain operational continuity. This is achieved through the "Disaster Recovery" application of Cisco DNA Center, which replicates all essential data from a main Cisco DNA Center cluster to a second standby (recovery) Cisco DNA Center cluster.

Security Recommendation: We recommend that you enable Cisco DNA Center's Disaster Recovery Service, to recover from a Cisco DNA Center cluster loss (or a data center loss) and maintain operational continuity.

The Cisco DNA Center recovery cluster contains all the essential data (Mongodb, Postgresql, credentials and certificates, file service) replicated from the main Cisco DNA Center cluster, and takes over control in case the main Cisco DNA Center cluster is lost. For more information, see "Configure Disaster Recovery" in the Cisco DNA Center Administrator Guide.

Note

Disaster recovery uses IPsec tunneling to secure network traffic between disaster recovery systems (main, recovery, and witness). Authentication to set up the IPsec tunneling between disaster recovery systems is done through certificate-based authentication (OpenSSL certificates).

For the key-exchange phase of the IPsec protocol, IPsec tunneling uses the secure and robust IKE2 protocol.

Use a separate certificate (as from Cisco DNA Center system certificate for HTTPS connections) for Disaster Recovery. For more information, see "Add Disaster Recovery Certificate" in the Cisco DNA Center Administrator Guide.

Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names

Security Recommendation: We recommend that you allow secure access only to URLs and Fully Qualified Domain Names required by Cisco DNA Center, through an HTTP(s) proxy.

For more information, see "Required Internet URLs and Fully Qualified Domain Names" and "Provide Secure Access to the Internet" sections in the latest Cisco DNA Center Second-Generation Appliance Installation Guide.

Secure the Management Interface

If you are using Cisco Integrated Management Controller (IMC), the first security action to perform on the Cisco DNA Center appliance is to secure the out-of-band management interface (Cisco IMC) account. Change the default password of the admin account to a stronger value as per the password policy. See "Enable Browser Access to Cisco IMC" in the Cisco DNA Center Appliance Installation Guide and "Configure External Authentication" in the Cisco DNA Center Administrator Guide.

Note

You must secure the password of Maglev CLI users with super admin access. For details, see "Configure the Primary Node" in the Cisco DNA Center Appliance Installation Guide.

Rate Limit IP Traffic to an Interface

Security Recommendation: We recommend that you rate limit the incoming IP traffic to Cisco DNA Center from your network devices.

By default, Cisco DNA Center does not rate limit IP traffic to its interfaces. However, we recommend to rate limit the incoming IP traffic from a specific source IP or all traffic to a Cisco DNA Center interface (from a specific source IP or all traffic) for protecting against DOS/DDOS attacks from internal network threats.

Before you begin

You must have maglev SSH access privileges to perform this procedure.

Procedure

Step 1

Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard.

The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This IP address connects the appliance to the external network.

Step 2

When prompted, enter your username and password for SSH access.

Step 3

Enter the following command to restrict the incoming traffic from a specific source:

/opt/maglev/bin/throttle_ip [options]
Options
-h show this help text
-i IP to rate limit (default: 0.0.0.0 i.e. ALL traffic)
-c Committed Information Rate in KBps (default: 100 K Bps)
-n Interface number (Mandatory parameter)
-d delete the last config and move the NIC to default configuration
-a Insert the new IP (to be throttled) in the already build filter list
-s show the current filter

Note

If you don’t enter a specific IP address, the full interface is throttled. The mandatory interface name limits the input transmission rate for all classes of traffic based on user-defined criteria.

Examples

#To create a new filter list
./throttle_ip -i 192.0.2.105 -n enp0s8 -c 256

#To add a new IP with different bandwidth
./throttle_ip -a 192.0.2.106 -n enp0s8 -c 512

#To delete all the IP from the List
./throttle_ip -d -n enp0s8

#To show the filters
./throttle_ip -s -n enp0s8

Step 4

Log out of the Cisco DNA Center appliance.

Change the Minimum TLS Version and Enable RC4-SHA (Not Secure)

Security Recommendation: We recommend that you upgrade the minimum TLS version to TLSv1.2 for incoming TLS connections to Cisco DNA Center.

Northbound REST API requests from the external network such as northbound REST API-based apps, browsers, and network devices connecting to Cisco DNA Center using HTTPS are made secure using the Transport Layer Security (TLS) protocol.

By default, Cisco DNA Center supports TLSv1.1 and TLSv1.2, and does not support RC4 ciphers for SSL/TLS connections. Since RC4 ciphers have well known weaknesses, we recommend that you upgrade the minimum TLS version to TLSv1.2 if your network devices support it.

Cisco DNA Center provides a configuration option to downgrade the minimum TLS version and enable RC4-SHA, if your network devices under Cisco DNA Center control cannot support the existing minimum TLS version (TLSv1.1) or ciphers. For security reasons, however, we do not recommend that you downgrade Cisco DNA Center TLS version or enable RC4-SHA ciphers.

If you need to change the TLS version or enable RC4-SHA for Cisco DNA Center, you do so by logging in to the appliance and using the CLI.

Note

CLI commands can change from one release to the next. The following CLI example uses command syntax that might not apply to all Cisco DNA Center releases.

Before you begin

You must have maglev SSH access privileges to perform this procedure.

Important

This security feature applies to port 443 on Cisco DNA Center. Performing this procedure may disable traffic on the port to the Cisco DNA Center infrastructure for a few seconds. For this reason, you should configure TLS infrequently and only during off-peak hours or during a maintenance period.

Procedure

Step 1

Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard.

The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This IP address connects the appliance to the external network.

Step 2

When prompted, enter your username and password for SSH access.

Step 3

Enter the following command to check the TLS version currently enabled on the cluster.

Example

Input
$ magctl service tls_version --tls-min-version show
Output
TLS minimum version is 1.1

Step 4

If you want to change the TLS version on the cluster, enter the following commands. For example, you might want to change the current TLS version to a lower version if your network devices under Cisco DNA Center control cannot support the existing TLS version.

Example: Change from TLS version 1.1 to 1.0

Input
$ magctl service tls_version --tls-min-version 1.0
Output
Enabling TLSv1.0 is recommended only for legacy devices
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.0 for api-gateway
deployment.extensions/kong patched

Example: Change from TLS version 1.1 to 1.2 (only allowed if you haven't enabled RC4-SHA)

Input
$ magctl service tls_version --tls-min-version 1.2
Output
Enabling TLSv1.2 will disable TLSv1.1 and below
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.2 for api-gateway
deployment.extensions/kong patched

Note

Setting TLS version 1.2 as the minimum version is not supported when RC4-SHA ciphers are enabled.

Step 5

Enter the following command to enable RC4-SHA on the cluster (not secure; proceed only if needed).

Enabling RC4-SHA ciphers is not supported when TLS version 1.2 is the minimum version.

Example: TLS version 1.2 is not enabled

Input
$ magctl service ciphers --ciphers-rc4=enable kong
Output
Enabling RC4-SHA cipher will have security risk
Do you want to continue? [y/N]: y
WARNING: Enabling RC4-SHA Cipher for kong
deployment.extensions/kong patched

Step 6

Enter the following command at the prompt to confirm that TLS and RC4-SHA are configured.

Example

Input
$ magctl service display kong 
Output
      containers:
      - env:
        - name: TLS_V1
          value: "1.1"
        - name: RC4_CIPHERS
          value: "true"

If RC4 and TLS minimum versions are set, they are listed in the env: of the magctl service display kong command. If these values are not set, they do not appear in the env:.

Step 7

If you want to disable the RC4-SHA ciphers that you enabled previously, enter the following command on the cluster.

Input
$ magctl service ciphers --ciphers-rc4=disable kong
Output
WARNING: Disabling RC4-SHA Cipher for kong
deployment.extensions/kong patched

Step 8

Log out of the Cisco DNA Center appliance.

Cisco DNA Center’s Use of OCSP and CRL for HTTPS Connections

Cisco DNA Center uses Online Certificate Status Protocol (OCSP)/Certificate Revocation List (CRL) to confirm that the remote certificate is not revoked.

The process is as follows:

Procedure

Step 1

Cisco DNA Center checks for OCSP. If a valid OCSP URI/URL is present in the Authority Information Access (AIA) field of the certificate, Cisco DNA Center sends an OCSP request to the URI/URL to validate its revocation status.

If the certificate is revoked, Cisco DNA Center terminates the connection and returns an error.
If the certificate is not revoked, proceed with the connection.
If the connection times out (for example, in an air-gapped network), continue to the next step.
If the connection reaches an unauthentic OCSP/CRL responder, Cisco DNA Center terminates the connection and returns an error. If a MiTM web proxy such as Cisco WSA is used for internet bound traffic, ensure that it is configured to permit the OCSP and CRL URLs from Cisco DNA Center.

Step 2

Cisco DNA Center checks for CRL. If the certificate includes the CRL Distribute Points field and that field has at least one entry with a valid CRL URI/URL, Cisco DNA Center downloads the CRL from the URI/URL and validates the certificate against the downloaded CRL.

If the certificate is revoked, Cisco DNA Center terminates the connection and returns an error.
If the certificate is not revoked, proceed with the connection.
If the connection times out (for example, in an air-gapped network), proceed with the connection, because this is the final check and there is no way to determine that the certificate is revoked.
If the connection reaches an unauthentic OCSP/CRL responder, Cisco DNA Center terminates the connection and returns an error. If a MiTM web proxy such as Cisco WSA is used for internet bound traffic, ensure that it is configured to permit the OCSP and CRL URLs from Cisco DNA Center.

Note

Cisco DNA Center supports HTTP-type CRL or OCSP and does not support the use of Lightweight Directory Access Protocol (LDAP) CRL.

For example, while requesting a certificate for the remote system with Microsoft Certification Authority (MS CA), you can configure the CDP and AIA extensions to add the OCSP/HTTP URL and remove the LDAP CRL. For details, see Configure the CDP and AIA Extensions on CA1.

Manage Credentials and Passwords

Cluster Password

Cisco DNA Center supports cluster formation with three nodes. For efficiency and security, we recommend the following:

The cluster should be created with dedicated separated interfaces for connecting to the enterprise network, forming an intracluster network, and connecting to a dedicated management network.
The intracluster network is created as an isolated Layer 2 segment and not connected or routed through any other network segments.
You should not reuse passwords (Cisco IMC or SSH) across the Cisco DNA Center cluster members.

SSH/Maglev Password Recovery

You must secure the SSH password. Share the SSH password only with the super admin. Cisco DNA Center does not provide the functionality to recover the SSH password.

SSH Account Lockout and Recovery

After six consecutive failed login attempts over SSH, the maglev account will be temporarily locked for five minutes from the time of last failed attempt. During this lockout period, login attempts with correct password will also fail and counted as a failed login. The account will be unlocked for SSH login only after five minutes of no login activity. However, login using the Cisco IMC console will continue to work even during the lockout period. The administrator can enable SSH login during the lockout period, by executing the following command in the Linux shell:

sudo pam_tally2 --reset

Web UI Password Recovery

If a web UI user's password is lost, the password can be reset using the command-line shell, which requires SSH or console access. See "Reset a Forgotten Password" in the Cisco DNA Center Administrator Guide.

Password Encryption

By default, Cisco DNA Center's pluggable authentication module (PAM) uses the SHA-512 hashing algorithm to store and hash local user account passwords (the strongest method available for UNIX-based systems). No user-configurable action is available for Cisco DNA Center’s password encryption mechanism.

Logs and Database Management

The system logs are available to the operating system administrator user with escalated privileges (sudo access). The application logs are stored in Elasticsearch, and can be accessed through the web UI after authentication. The databases are protected by credentials, which are randomly generated during installation, and securely passed to the applications that need database access. No user-configurable action is available to change these settings.

Communication Protocol Payload Encryption

In clustered mode, Cisco DNA Center nodes communicate with each other through the intracluster network. No separate encryption is applied to the intracluster traffic. It is important to keep the intracluster network isolated.

Note

Services that exchange sensitive data among themselves use HTTPS.

Change Web UI Users and Linux/Maglev User Password

Security Recommendation: We recommend that you regularly change Cisco DNA Center web UI users passwords and Maglev User password.

Procedure

Step 1

To change the Linux/Maglev user password, do the following:

Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard. The IP address to enter for the SSH client is the IP address that you configured for the network adapter.
When prompted, enter your username and password for SSH access.
Enter the following command:
```
Input
$ sudo maglev-config update
```
The Maglev Configuration wizard's welcome screen opens.
Click next>> until you see the User Account Settings wizard screen.
Enter the maglev user's Linux password.

Click next>> until you see the CONFIGURATION SUCCEEDED! message.

Note

For more information, see the "Configure the Appliance Using the Maglev Wizard" chapter in the Cisco DNA Center Second-Generation Appliance Installation Guide.

Step 2

For changing the Web UI user password, do the following:

Note

Only you can change the password that you enter to log in to Cisco DNA Center. Even a user with administrator privileges cannot change another user's password. If an administrator needs to change another user's password, they need to delete and re-add the user with a new password.

Log in to Cisco DNA Center web UI.
In the Cisco DNA Center GUI, click the Menu icon () and choose System > Users & Roles > Change Password.
Enter information in the required fields and click Update.

Default Certificates

Security Recommendation: We recommend that you change the default Cisco DNA Center TLS certificate with a certificate signed by your internal certificate authority.

By default, Cisco DNA Center uses self-signed certificates. Cisco DNA Center manages the devices using the devices' self-signed certificates, unless otherwise deployed. We strongly recommend that you use a certificate signed by your internal certificate authority during deployment.

Note

Changing the Cisco DNA Center certificate from self-signed to certificate-signed by your internal CA or from root CA to subordinate CA disrupts the network functionality. We strongly recommend that you upgrade the certificates before you begin the deployment.

Certificate and Private Key Support

Cisco DNA Center supports the PKI Certificate Management feature, which is used to authenticate sessions (HTTPS). These sessions use commonly recognized trusted agents called CAs. Cisco DNA Center uses the PKI Certificate Management feature to import, store, and manage X.509 certificates from your internal CA. The imported certificate becomes an identity certificate for Cisco DNA Center, and Cisco DNA Center presents this certificate to its clients for authentication. The clients are the northbound API applications and network devices.

You can import the following files (in either PEM or PKCS file format) using the Cisco DNA Center GUI:

X.509 certificate
Private key

Note

For the private key, Cisco DNA Center supports the import of RSA keys. You should not import DSA, DH, ECDH, and ECDSA key types, because they are not supported. You should also keep the private key secure in your own key management system. The private key must have a minimum modulus size of 2048 bits.

Prior to import, you must obtain a valid X.509 certificate and private key issued by your internal CA and the certificate must correspond to a private key in your possession. After import, the security functionality based on the X.509 certificate and private key is automatically activated. Cisco DNA Center presents the certificate to any device or application that requests it. Northbound API applications and network devices can use these credentials to establish a trust relationship with Cisco DNA Center.

Note

We recommend that you do not use and import a self-signed certificate into Cisco DNA Center. We recommend that you import a valid X.509 certificate from your internal CA. Additionally, you must replace the self-signed certificate (installed in Cisco DNA Center by default) with a certificate that is signed by your internal CA for the PnP functionality to work correctly.

Cisco DNA Center supports only one imported X.509 certificate and private key at a time. When you import a second certificate and private key, the latter overwrites the first (existing) imported certificate and private key values.

Certificate Chain Support

Cisco DNA Center is able to import certificates and private keys through its GUI. If subordinate certificates are involved in a certificate chain leading to the certificate that is to be imported into Cisco DNA Center (signed certificate), both the subordinate certificates as well as the root certificate of these subordinate CAs must be appended together into a single file to be imported. When appending these certificates, you must append them in the same order as the actual chain of certification.

The following certificates should be pasted together into a single PEM file. Review the certificate subject name and issuer to ensure that the correct certificates are being imported and correct order is maintained. Ensure that all of the certificates in the chain are pasted together.

Signed Cisco DNA Center certificate: Its Subject field includes CN=<FQDN of Cisco DNA Center>, and the issuer has the CN of the issuing authority.

Note

If you install a third-party certificate, ensure that the certificate specifies all of the DNS names (including the Cisco DNA Center FQDN) that are used to access Cisco DNA Center in the alt_names section. For more information, see Step 3 in Generate a Certificate Request Using Open SSL.

Issuing (subordinate) CA certificate that issues the Cisco DNA Center certificate: Its Subject field has CN of the (subordinate) CA that issues the Cisco DNA Center certificate, and the issuer is that of the root CA.
Next issuing (root/subordinate CA) certificate that issues the subordinate CA certificate: Its Subject field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, you must append the next issuer, and so on.

Generate a Certificate Request Using Open SSL

Procedure

Step 1

Use an SSH client to log in to the Cisco DNA Center cluster and create a temporary folder under /home/maglev, for example, by entering the command mkdir tls-cert;cd tls-cert while in the home directory.

Step 2

Before proceeding further, ensure that the Cisco DNA Center hostname (FQDN) is set during Cisco DNA Center configuration by entering the maglev cluster network display command. You must have root privileges to run this command:

Input
$ maglev cluster network display
Output
cluster_network:
	cluster_dns: 169.254.20.10
	cluster_hostname: fqdn.cisco.com

If the output field cluster_hostname is empty or is not what you want, add or change the Cisco DNA Center hostname (FQDN) by entering the sudo maglev-config update command, as illustrated in the following example. You must have root privileges to run this command:

Input
$ sudo maglev-config update
Output
Maglev config wizard GUI

Click next until you see the step titled MAGLEV CLUSTER DETAILS containing the input prompt Cluster's hostname. Set the hostname to the desired Cisco DNA Center FQDN. Click next and proceed until Cisco DNA Center is reconfigured with the new FQDN.

Step 3

Using a text editor of your choice, create a file named openssl.cnf and upload it to the directory that you created in the preceding step. Use the following example as your guide, but adjust it to fit your deployment.

Adjust default_bits and default_md if your certificate authority admin team requires 2048/sha256 instead.
Specify values for every field in the req_distinguished_name and alt_names sections. The only exception is the OU field, which is optional. Omit the OU field if your certificate authority admin team does not require it.
The emailAddress field is optional; omit it if your certificate authority admin team does not require it.

alt_names section: The certificate configuration requirements vary depending on the Cisco DNA Center version.

Full support of FQDNs in the Cisco DNA Center certificate is available from Cisco DNA Center 2.1.1 onwards. For Cisco DNA Center versions earlier than 2.1.1, you need a certificate with IP addresses defined in the Subject Alternative Name (SAN) field. The alt_names section configurations for Cisco DNA Center versions 2.1.1 and later and Cisco DNA Center versions earlier than 2.1.1 are as follows:

Note

For security reasons, we recommend that you only use FQDNs in the Cisco DNA Center certificate (FQDN support is available from Cisco DNA Center 2.1.1 onwards). If you want to use IP addresses instead of FQDNs in the certificate, complete the steps described in the Cisco DNA Center versions earlier than 2.1.1 bullet, ensuring that you enter IP addresses in the SAN fields.

Cisco DNA Center versions 2.1.1 and later:

Pay close attention to the alt_names section, which must contain all DNS names (including the Cisco DNA Center FQDN) that are used to access Cisco DNA Center, either by a web browser or by an automated process such as PnP or Cisco ISE.

The first DNS entry in the alt_names section should contain Cisco DNA Center's FQDN (DNS.1 = FQDN-of-Cisco-DNA-Center). You cannot add a wildcard DNS entry in place of Cisco DNA Center's FQDN, but you can use a wildcard in subsequent DNS entries in the alt-names section (for PnP and other DNS entries). For example, *.domain.com is a valid entry.

Important

For Cisco DNA Center 2.1.1 and later, FQDN support is only available for wireless LAN controllers with version 17.4 or later.
For Cisco DNA Center 2.1.1 and later, if the certificate only contains FQDNs, the DHCP pool on the seed device needs to be edited in order for LAN automation and PnP to work. For guidance, refer to the following information in the Cisco DNA Center User Guide's "Provision Your Network" chapter:
- LAN Automation: In the "Provision a LAN Underlay" topic, see Step 3b.
- PnP: At the end of the "DHCP Controller Discovery" topic, see the information that begins with the following text: "If the Cisco DNA Center system certificate has an FQDN-only SAN field...."

The alt_names section must contain FQDN-of-Cisco-DNA-Center as a DNS entry, and must match the Cisco DNA Center hostname (FQDN) set during Cisco DNA Center configuration through the config wizard (in the input field "Cluster's hostname").

Cisco DNA Center currently supports only one hostname (FQDN) for all interfaces. If you are using both management and enterprise port on Cisco DNA Center for connecting devices to Cisco DNA Center in your network, you must configure the GeoDNS policy to resolve to the management IP/virtual IP and enterprise IP/virtual IP for the Cisco DNA Center hostname (FQDN) based on the network from which the DNS query is received. Setting up GeoDNS policy is not required if you are using only enterprise port on Cisco DNA Center for connecting devices to Cisco DNA Center in your network.

Note

If you have enabled disaster recovery for Cisco DNA Center:

If you are using virtual IPs for Disaster Recovery, you must use the same cluster_hostname, that is FQDN for Cisco DNA Center (set in Cisco DNA Center configuration wizard) in both main and recovery. Also, you must configure the GeoDNS policy to resolve to the disaster recovery management virtual IP and the disaster recovery enterprise virtual IP for the Cisco DNA Center hostname (FQDN) based on the network from which the DNS query is received. Setting up GeoDNS policy is only required if you are using both management and enterprise port on Cisco DNA Center for connecting devices to Cisco DNA Center in your network. Certificate alt_names sections would look like:
```
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center
```
If you are not using virtual IPs for Disaster Recovery, you must use different cluster_hostnames, that is FQDNs for Cisco DNA Center on enterprise network (set in Cisco DNA Center configuration wizard) in both main and recovery clusters. Also, you must configure GeoDNS policy to resolve to the disaster recovery management IP and the disaster recovery enterprise IP for the Cisco DNA Center hostname (FQDN) based on the network from which the DNS query is received, for both main/recovery clusters. Setting up GeoDNS policy is only required if you are using both management and enterprise port on Cisco DNA Center for connecting devices to Cisco DNA Center in your network. Certificate alt_names sections would look like:
```
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center-Main
DNS.2 = FQDN-of-Cisco-DNA-Center-Recovery
```

For more information, see "Implement Disaster Recovery Certificate" in the Cisco DNA Center Administrator Guide

Cisco DNA Center versions earlier than 2.1.1:

Pay close attention to the alt_names section, which must contain all IP addresses and DNS names that are used to access Cisco DNA Center, either by a web browser or by an automated process such as PnP or Cisco ISE. (This example assumes a three-node Cisco DNA Center cluster. If you have a standalone device, use SANs for only that node and the VIP. If you cluster the device later, you might want to recreate the certificate to include the IP addresses of the new cluster members.)

If a cloud interface is not configured, omit the cloud port fields.
- In the extendedKeyUsage extension, the attributes serverAuth and clientAuth are mandatory. If you omit either attribute, Cisco DNA Center rejects the SSL certificate.
- If you are importing a self-signed certificate (not recommended), it must contain the X.509 Basic Constraints "CA:TRUE" extension.

Example openssl.cnf (Applicable for Cisco DNA Center versions 2.1.1 and later)

req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = <two-letter-country-code>
ST = <state-or-province>
L = <city>
O = <company-name>
OU = MyDivision
CN = FQDN-of-Cisco-DNA-Center
emailAddress = responsible-user@mycompany.tld

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
DNS.3 = *.domain.com

Example openssl.cnf (Applicable for Cisco DNA Center versions earlier than 2.1.1)

req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = <two-letter-country-code>
ST = <state-or-province>
L = <city> O = <company-name>
OU = MyDivision
CN = FQDN-of-Cisco-DNA-Center
emailAddress = responsible-user@mycompany.tld
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
IP.1 = Enterprise port IP node #1
IP.2 = Enterprise port IP node #2
IP.3 = Enterprise port IP node #3
IP.4 = Enterprise port VIP
IP.5 = Cluster port IP node #1
IP.6 = Cluster port IP node #2
IP.7 = Cluster port IP node #3
IP.8 = Cluster port VIP
IP.9 = GUI port IP node #1
IP.10 = GUI port IP node #2
IP.11 = GUI port IP node #3
IP.12 = GUI port VIP
IP.13 = Cloud port IP node #1
IP.14 = Cloud port IP node #2
IP.15 = Cloud port IP node #3
IP.16 = Cloud port VIP

Note

If you don’t include the cluster IP addresses in the openssl.cnf file, you cannot schedule software image activation. To fix this problem, add the cluster IP addresses as SANs to the certificate.

Step 4

Enter the following command to create a private key. Adjust the key length to 2048 if required by your certificate authority admin team.

openssl genrsa -out csr.key 4096

Step 5

After populating the fields in the openssl.cnf file, use the private key that you created in the preceding step to generate the Certificate Signing Request.

openssl req -config openssl.cnf -new -key csr.key -out DNAC.csr

Step 6

Verify the Certificate Signing Request content and ensure that the DNS names (and IP addresses for Cisco DNA Center version earlier than 2.1.1) are populated correctly in the Subject Alternative Name field..

openssl req -text -noout -verify -in DNAC.csr

Step 7

Copy the Certificate Signing Request and paste it to a CA (for example, MS CA).

Ensure that the certificate template you choose is configured for both client and server authentication (as illustrated in the extendedKeyUsage line in Step 2's openssl.cnf file example).

Step 8

Proceed to gather the issued certificate and its issuer CA chain.

Step 9

If the certificate issuer provides the certificate full chain (server and CA) in p7b, do the following:

Download the p7b bundle in DER format and save it as dnac-chain.p7b.
Copy the dnac-chain.p7b certificate to the Cisco DNA Center cluster through SSH.

Enter the following command:

openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs

Step 10

If the certificate issuer provides the certificate and its issuer CA chain in loose files, do the following:

Gather the PEM (base64) files or use openssl to convert DER to PEM.
Concatenate the certificate and its issuer CA, starting with the certificate, followed by subordinate CA, all the way to the root CA, and output it to dnac-chain.pem file.
```
cat certificate.pem subCA.pem rootCA.pem > dnac-chain.pem
```

Step 11

Copy the file dnac-chain.pem generated in the Cisco DNA Center cluster to your local system.

Step 12

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Certificates.

Step 13

Click Replace Certificate.

Step 14

In the Certificate field, click the PEM radio button and perform the following tasks.

For the Certificate field, import the dnac-chain.pem file by dragging and dropping this file into the Drag n' Drop a File Here field.
For the Private Key field, import the private key (csr.key) by dragging and dropping this file into the Drag n' Drop a File Here field.
Choose No from the Encrypted drop-down list for the private key.

Step 15

Click Upload/Activate.

Update the Cisco DNA Center Server Certificate

Cisco DNA Center supports the import and storage of an X.509 certificate and private key into Cisco DNA Center. After import, the certificate and private key can be used to create a secure and trusted environment between Cisco DNA Center, northbound API applications, and network devices.

You can import a certificate and a private key using the Certificates window in the GUI.

Before you begin

You must obtain a valid X.509 certificate that is issued by your internal CA and the certificate must correspond to a private key in your possession.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > Certificates.

Step 2

In the System tab, view the current certificate data.

When you first view this window, the current certificate data that is displayed is the Cisco DNA Center self-signed certificate. The self-signed certificate's expiry is set for several years in the future.

Note

The expiration date and time is displayed as a Greenwich mean time (GMT) value. A system notification appears in the Cisco DNA Center GUI two months before the certificate expires.

The System tab displays the following fields:

Current Certificate Name: Name of the current certificate
Issuer: Name of the entity that has signed and issued the certificate
Authority: Either self-signed or the name of the CA
Expires: Expiry date of the certificate

Step 3

To replace the current certificate, click Replace Certificate.

The following fields appear:

Certificate: Fields to enter certificate data
Private Key: Fields to enter private key data

Step 4

(Optional) Check the Use system certificate for Disaster Recovery as well check box if you want to use the same certificate for disaster recovery.

Step 5

In the Certificate area, choose the file format type for the certificate that you are importing into Cisco DNA Center:

PEM: Privacy-enhanced mail file format
PKCS: Public-Key Cryptography Standard file format

Step 6

If you choose PEM, perform the following tasks:

For the Certificate field, import the PEM file by dragging and dropping the file into the Drag and Drop area.

Note

A PEM file must have a valid PEM format extension (.pem). The maximum file size for the certificate is 10 MB.

After the upload succeeds, the system certificate is validated.

For the Private Key field, import the private key by dragging and dropping the file into the Drag and Drop area.

Note

Private keys must have a valid private key format extension (.key). The maximum file size for the private key is 10 MB.

After the upload succeeds, the private key is validated.

Choose the encryption option from the Encrypted area for the private key.
If you chose encryption, enter the password for the private key in the Password field.

Step 7

If you choose PKCS, perform the following tasks:

For the Certificate field, import the PKCS file by dragging and dropping the file into the Drag and Drop area.

Note

A PKCS file must have a valid PKCS format extension (.pfx or .p12). The maximum file size for the certificate is 10 MB.

After the upload succeeds, the system certificate is validated.

For the Certificate field, enter the passphrase for the certificate in the Password field.

Note

For PKCS, the imported certificate also requires a passphrase.

For the Private Key field, choose the encryption option for the private key.
For the Private Key field, if encryption is chosen, enter the password for the private key in the Password field.

Step 8

Click Save.

Note

After the Cisco DNA Center server’s SSL certificate is replaced, you are automatically logged out and you must log in again.

Step 9

Return to the Certificates window to view the updated certificate data.

The information displayed in the System tab should have changed to reflect the new certificate name, issuer, and the certificate authority.

PKI Certificate Authority

Clients looking to establish an HTTPS connection with Cisco DNA Center use its server CA in order to confirm its identity and complete authentication. In addition to the server CA, Cisco DNA Center also makes use of a public key infrastructure (PKI) CA (configured as either a root or subordinate CA) to establish client connections. When used, the PKI CA gives you the option of using a different realm trust (signing CA) than the one associated with Cisco DNA Center’s server CA.

Change the Role of the PKI Certificate from Root to Subordinate

The device PKI CA, a private CA that is provided by Cisco DNA Center, manages the certificates and keys used to establish and secure server-client connections. To change the role of the device PKI CA from a root CA to a subordinate CA, complete the following procedure.

When changing the private Cisco DNA Center CA from a root CA to a subordinate CA, note the following:

If you intend to have Cisco DNA Center act as a subordinate CA, it is assumed that you already have a root CA, for example, Microsoft CA, and you are willing to accept Cisco DNA Center as a subordinate CA.
As long as the subordinate CA is not fully configured, Cisco DNA Center continues to operate as an internal root CA.

You must generate a Certificate Signing Request file for Cisco DNA Center (as described in the following procedure) and have it manually signed by your external root CA.

Note

Cisco DNA Center continues to run as an internal root CA during this time period.

After the Certificate Signing Request is signed by the external root CA, this signed file must be imported back into Cisco DNA Center using the GUI (as described in the following procedure).

After the import, Cisco DNA Center initializes itself as the subordinate CA and provides all the existing functionalities of a subordinate CA.
The switchover from the internal root CA to the subordinate CA used by managed devices is not automatically supported. Therefore, it is assumed that no devices have been configured with the internal root CA yet. If devices are configured, it is the responsibility of the network administrator to manually revoke the existing device ID certificates before switching to the subordinate CA.
The subordinate CA certificate lifetime, as displayed in the GUI, is just read from the certificate; it is not computed against the system time. Therefore, if you install a certificate with a lifespan of 1 year today and look at it in the GUI next July, the GUI will still show that the certificate has a 1-year lifetime.
The subordinate CA certificate must be in PEM or DER format only.
The subordinate CA does not interact with the higher CAs; therefore, it is not aware of revocation, if any, of the certificates at a higher level. Due to this, any information about certificate revocation is also not communicated from the subordinate CA to the network devices. Because the subordinate CA does not have this information, all the network devices use only the subordinate CA as the Cisco Discovery Protocol (CDP) source.

You can change the role of the private (internal) Cisco DNA Center CA from a root CA to a subordinate CA using the PKI Certificate Management window in the GUI.

Before you begin

You must have a copy of the root CA certificate.

Procedure

Step 1	In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > PKI Certificate.
Step 2	Click the CA Management tab.
Step 3	Review the existing root or subordinate CA certificate configuration information from the GUI: Root CA Certificate: Displays the current root CA certificate (either external or internal). Root CA Certificate Lifetime: Displays the current lifetime value of the current root CA certificate, in days. Current CA Mode: Displays the current CA mode (root CA or subordinate CA). Sub CA Mode: Enables a change from a root CA to a subordinate CA.
Step 4	In the CA Management tab, check the Sub CA Mode check box.
Step 5	Click Next.
Step 6	Review the warnings that appear: Changing from root CA to subordinate CA is a process that cannot be reversed. You must ensure that no network devices have been enrolled or issued a certificate in root CA mode. Network devices that have been accidentally enrolled in root CA mode must be revoked before changing from root CA to subordinate CA. Network devices must come online only after the subordinate CA configuration process finishes.
Step 7	Click OK to proceed. The PKI Certificate Management window displays the Import External Root CA Certificate field.
Step 8	Drag and drop your root CA certificate into the Import External Root CA Certificate field and click Upload. The root CA certificate is uploaded into Cisco DNA Center and used to generate a Certificate Signing Request. After the upload process finishes, a `Certificate Uploaded Successfully` message appears.
Step 9	Click Next. Cisco DNA Center generates and displays the Certificate Signing Request.
Step 10	View the Cisco DNA Center-generated Certificate Signing Request in the GUI and perform one of the following actions: Click the Download link to download a local copy of the Certificate Signing Request file. You can then attach this Certificate Signing Request file to an email to send to your root CA. Click the Copy to the Clipboard link to copy the Certificate Signing Request file's content. You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.
Step 11	Send the Certificate Signing Request file to your root CA. Your root CA will then return a subordinate CA file, which you must import back into Cisco DNA Center.
Step 12	After receiving the subordinate CA file from your root CA, access the Cisco DNA Center GUI again and return to the PKI Certificate Management window.
Step 13	Click the CA Management tab.
Step 14	Click Yes for the Change CA mode button. After clicking Yes, the GUI view with the Certificate Signing Request is displayed.
Step 15	Click Next. The PKI Certificate Management window displays the Import Sub CA Certificate field.
Step 16	Drag and drop your subordinate CA certificate into the Import Sub CA Certificate field and click Apply. The subordinate CA certificate is uploaded into Cisco DNA Center. After the upload finishes, the GUI displays the subordinate CA mode under the CA Management tab.
Step 17	Review the fields under the CA Management tab: Sub CA Certificate: Displays the current subordinate CA certificate. External Root CA Certificate: Displays the root CA certificate. Sub CA Certificate Lifetime: Displays the lifetime value of the subordinate CA certificate, in days. Current CA Mode: Displays SubCA mode.

Provision a Rollover Subordinate CA Certificate

Cisco DNA Center lets you apply a subordinate certificate as a rollover subordinate CA when 70 percent of the existing subordinate CA's lifetime has elapsed.

Before you begin

To initiate subordinate CA rollover provisioning, you must have changed the PKI certificate role to subordinate CA mode. See Change the Role of the PKI Certificate from Root to Subordinate.
Seventy percent or more of the lifetime of the current subordinate CA certificate must have expired. When this occurs, Cisco DNA Center displays a Renew button under the CA Management tab.
You must have a signed copy of the rollover subordinate CA PKI certificate.

Procedure

Step 1	In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > PKI Certificate.
Step 2	Click the CA Management tab.
Step 3	Review the CA certificate configuration information: Subordinate CA Certificate: Displays the current subordinate CA certificate. External Root CA Certificate: Displays the root CA certificate. Subordinate CA Certificate Lifetime: Displays the lifetime value of the current subordinate CA certificate, in days. Current CA Mode: Displays SubCA mode.
Step 4	Click Renew. Cisco DNA Center uses the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request.
Step 5	View the generated Certificate Signing Request in the GUI and perform one of the following actions: Click the Download link to download a local copy of the Certificate Signing Request file. You can then attach this Certificate Signing Request file to an email to send it to your root CA. Click the Copy to the Clipboard link to copy the Certificate Signing Request file's content. You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.
Step 6	Send the Certificate Signing Request file to your root CA. Your root CA will then return a rollover subordinate CA file that you must import back into Cisco DNA Center. The Certificate Signing Request for the subordinate CA rollover must be signed by the same root CA who signed the subordinate CA you imported when you switched from RootCA mode to SubCA mode.
Step 7	After receiving the rollover subordinate CA file from your root CA, return to the PKI Certificate Management window.
Step 8	Click the CA Management tab.
Step 9	Click Next in the GUI in which the Certificate Signing Request is displayed. The PKI Certificate Management window displays the Import Sub CA Certificate field.
Step 10	Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Apply. The rollover subordinate CA certificate is uploaded into Cisco DNA Center. After the upload finishes, the GUI changes to disable the Renew button under the CA Management tab.

Configure the Device Certificate Lifetime

Cisco DNA Center lets you change the certificate lifetime of network devices that are managed and monitored by the private (internal) Cisco DNA Center CA. The Cisco DNA Center default value for the certificate lifetime is 365 days. After the certificate lifetime value is changed using the Cisco DNA Center GUI, network devices that subsequently request a certificate from Cisco DNA Center are assigned this lifetime value.

Note

The device certificate lifetime value cannot exceed the CA certificate lifetime value. Additionally, if the remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device gets a certificate lifetime value that is equal to the remaining CA certificate lifetime.

You can change the device certificate lifetime using the PKI Certificate Management window in the GUI.

Procedure

Step 1	In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Trust & Privacy > PKI Certificate.
Step 2	Click the Device Certificate tab.
Step 3	Review the device certificate and the current device certificate lifetime.
Step 4	In the Device Certificate Lifetime field, enter a new value, in days.
Step 5	Click Save.
Step 6	(Optional) Refresh the PKI Certificate Management window to confirm the new device certificate lifetime value.

Cisco DNA Center Trustpool Support

Cisco DNA Center and Cisco IOS devices support a special PKI certificate store known as trustpool. The trustpool holds X.509 certificates that identify trusted CAs. Cisco DNA Center and the devices in the network use the trustpool bundle to manage trust relationships with each other and with these CAs. Cisco DNA Center manages this PKI certificate store, and an administrator (ROLE_ADMIN) has the ability to update it through the Cisco DNA Center GUI when the certificates in the pool are due to expire, are reissued, or must be changed for other reasons.

Note

Cisco DNA Center also uses the trustpool functionality to determine whether any certificate file that is uploaded through its GUI is a valid trustpool CA-signed certificate.

Cisco DNA Center contains a preinstalled, default Cisco-signed trustpool bundle named ios.p7b. This trustpool bundle is trusted by supported Cisco network devices natively, because it is signed with a Cisco digital signing certificate. This trustpool bundle is critical for the Cisco network devices to establish trust with services and applications that are genuine. This Cisco PKI trustpool bundle file is available at https://www.cisco.com/security/pki/.

To access the Cisco DNA Center PnP functionality, the supported Cisco devices that are being managed and monitored by Cisco DNA Center should import the Cisco PKI trustpool bundle file. When the supported Cisco devices boot for the first time, they contact Cisco DNA Center to import this file.

The Cisco DNA Center trustpool management feature operates in the following manner:

You boot the Cisco devices that support the PnP functionality within your network.

Note that not all Cisco devices support PnP. See the Cisco DNA Center Supported Devices for a list of supported Cisco devices.
As part of the initial PnP flow, the supported Cisco devices download a trustpool bundle directly from Cisco DNA Center using HTTP.

The Cisco devices are now ready to interact with Cisco DNA Center to obtain further device configuration and provisioning according to the PnP traffic flows.

Note that if an HTTP proxy gateway exists between Cisco DNA Center and these Cisco devices, you must import the proxy gateway certificate into Cisco DNA Center.

Note

At times, you might need to update the trustpool bundle to a newer version due to some certificates in the trustpool expiring, being reissued, or for other reasons. Whenever the trustpool bundle needs to be updated, update it by using the Cisco DNA Center GUI. Cisco DNA Center can access the Cisco cloud (where the Cisco-approved trustpool bundles are located) and download the latest trustpool bundle. After download, Cisco DNA Center then overwrites the current, older trustpool bundle file. As a best practice, update the trustpool bundle before importing a new certificate from a CA.

Check the Certificate on the PnP Server

This section explains how to check the certificate on the PnP agent of Cisco IOS and Cisco IOS XE devices during a zero-touch deployment.

The certificate provided by the PnP server must contain a valid Subject Alternative Name (SAN) field to verify the server identity.

The check is applied to the server's DNS name or the IP address that is used in the PnP profile settings:

pnp profile SOME_NAME
transport https ipv4 IP_ADDRESS port 443

pnp profile SOME_NAME
transport https host DNS_NAME port 443

The enforcement is applied by comparing the SAN field of the certificate to the value used in the PnP profile that is configured on the device.

The following table summarizes the enforcement applied:


PnP Profile Configuration	Certificate Enforcement
DHCP Option-43 or Option-17 discovery of the PnP server using an explicit IPv4 or IPv6 address	The SAN field of the server certificate must contain the explicit IPv4 or IPv6 address used in Option-43 or Option-17.
DHCP Option-43 or Option-17 discovery of the PnP server using a DNS name	The SAN field of the server certificate must contain the specific DNS name.
DNS discovery of the PnP server	The SAN field of the server certificate must contain pnpserver.`<local-domain>`.
Cisco.com discovery of the PnP Server	One of the following conditions applies: The SAN field of the server certificate must contain the explicit IP address if an IP address is used in the cloud redirection profile configuration. The SAN field of the server certificate must contain the specific DNS name if a DNS name is used in the cloud redirection profile configuration.
Day-2 (manual configuration) PnP profile creation	The SAN field of the server certificate must contain either the IP address or the DNS name that is used in the PnP profile configuration.

We recommend that you use a discovery method based on the DNS name because the functionality is not affected by changes to the IP address.

Procedure

Step 1	Use the PnP server logs to diagnose the problem. Check whether the HTTPS connection is established with the device after the trustpoint is installed on the device. The PnP server logs show that the device moves from the CERTIFICATE_INSTALL_REQUESTED stage to the FILESYSTEM_INFO_REQUESTED stage, but no further progress is made. For example: `2018-11-28 12:05:40,711 \| INFO \| qtp226594800-88458 \| \| com.cisco.enc.pnp.state.ZtdState \| Device state has changed from CERTIFICATE_INSTALL_REQUESTED to FILESYSTEM_INFO_REQUESTED \| sn=SOME_SN, address=SOME_IP` Thereafter, PnP provisioning fails with an error that is similar to the following: `2018-11-28 12:25:56,289 \| ERROR \| eHealthCheckFirstBucket-2 \| \| c.c.e.z.impl.ZtdHistoryServiceImpl \| Failed health check since device is stuck in non-terminal state FILESYSTEM_INFO_REQUESTED for more than threshold time: 0 hours, 16 minutes, 0 seconds \| sn=SOME_SN`
Step 2	For device-side debugging, use the following recommended outputs to determine whether the issue is related to the server ID check: `debug crypto pki val debug crypto pki api debug crypto pki call debug crypto pki tr debug ssl openssl error debug ssl openssl msg debug ssl openssl state debug ssl openssl ext show crypto pki certificate show running show pnp tech`
Step 3	Enable debugging before you initiate a PnP discovery.
Step 4	Check the server certificate's SAN field by entering the following command from the CLI of a Linux workstation or a Mac terminal. Be sure to replace `SERVER_IP` with your Cisco DNA Center cluster address. `echo \| openssl s_client -showcerts -servername SERVER_IP -connect SERVER_IP:443 2>/dev/null \| openssl x509 -inform pem -noout -text`
Step 5	In the output, pay close attention to the X509v3 extensions, especially the X509v3 Subject Alternative Name, which is the field that must be matched against the PnP server details. The output is similar to the following: [username@toolkit ~]$ echo \| openssl s_client -showcerts -servername SERVER_IP -connect SERVER_IP:443 2>/dev/null \| openssl x509 -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 18:92:63:49:41:36:99:43:00:57:43:86:06:10:44:57:32:48:65:00 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=e328c7fc-3495-4bc1-81a4-66a31d0507f6, C=US, ST=California, L=SanJose, OU=DNAC, O=Cisco Validity Not Before: Aug 24 05:55:29 2017 GMT Not After : Aug 23 05:55:29 2022 GMT Subject: CN=SERVER_IP, ST=California, C=US, O=Cisco, OU=DNAC Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a2:21:ba:52:b4:9e:50:02:c0:68:2e:b3:43:0a: <snip> 9e:1b:ef:19:96:f9:2b:e3:6a:58:05:b3:c5:b3:d3: 24:ab Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: IP Address:SERVER_IP
Step 6	Depending on the type of certificate you are using, do one of the following: If you are using a signed certificate, generate a new Certificate Signing Request that is signed by the CA, including the appropriate SAN field. See Update the Cisco DNA Center Server Certificate. If you are using a self-signed certificate (not recommended), see Generate a Certificate Request Using Open SSL.

Certificates for Systems That Peer with Cisco DNA Center

When setting up a certificate for an external system that Cisco DNA Center communicates with (such as Cisco ISE, IPAM, vManage, or Stealthwatch Security Analytics), ensure that the HTTP-type CRL distribution point is supported and is placed before LDAP (if multiple distribution points with LDAP are present) for the system's certificates.

If you don't place the CRL distribution point before LDAP, authentication with the external system might fail for LDAP-type CRL entries.

Disable SFTP Compatibility Mode

SSH File Transfer Protocol (SFTP) Compatibility Mode allows legacy network devices to connect to Cisco DNA Center using older cipher suites, which are not secure. By default, SFTP Compatibility Mode is enabled for new Cisco DNA Center deployments.

If your network does not have legacy devices, we recommend that you disable SFTP Compatibility Mode during initial cluster configuration.
If your network does have legacy devices, we recommend that you enable SFTP Compatibility Mode for a maximum of three days, which should be enough time to complete provisioning tasks.

Complete the procedure that's specific to your Cisco DNA Center version.

Newer Cisco DNA Center Versions

If you are running Cisco DNA Center 2.1.2.0 or later, complete the following procedure to enable or disable SFTP Compatibility Mode:

Procedure

Step 1	Log in to Cisco DNA Center.
Step 2	In the GUI, click the Menu icon () and choose System > Settings > Device Settings > Image Distribution Servers.
Step 3	In the Host column, locate the relevant server and click its i icon. A message appears, indicating whether SFTP Compatibility Mode is currently enabled or disabled on that server.
Step 4	If necessary, click the link provided in the message to enable or disable this mode.

Older Cisco DNA Center Versions

If you are running Cisco DNA Center 1.3.3.0 or earlier, complete the following procedure to enable or disable SFTP Compatibility Mode:

Procedure

Step 1	Log in to Cisco DNA Center.
Step 2	From the home page, choose > System Settings > Settings > SFTP.
Step 3	Check the Compatibility mode check box to enable this mode. Uncheck the check box to disable it.
Step 4	Click Apply.

Browser-Based Appliance Configuration Wizard

In addition to the appliance configuration wizard that has been available since its first release, Cisco DNA Center also provides a browser-based appliance configuration wizard. See the following topics for a description of how to disable or reenable this wizard.

Disable the Wizard

A self-signed certificate is provided with your Cisco DNA Center appliance. If your production environment doesn't allow the use of self-signed certificates, we recommend that you shut down the service associated with the browser-based appliance configuration wizard. Complete the following procedure right after using the wizard to configure your appliance.

Note

Only users with root privileges can complete this procedure.

Procedure

Step 1	In an SSH client, log in to your Cisco DNA Center appliance using the IP address that you entered during configuration. When prompted, enter your username and password.
Step 2	(Optional) To view usage information for the commands you need to run in order to disable or reenable the browser-based appliance configuration wizard, run the maglev-config webinstall command. You see the following output: `Usage: maglev-config webinstall [OPTIONS] COMMAND [ARGS]... Enable/Disable Maglev web install feature Options: --help Show this message and exit. Commands: disable Stops and disables Maglev webinstall service... enable Enables Maglev webinstall feature service`
Step 3	Disable the browser-based configuration wizard by running the maglev-config webinstall disable command. After the operation completes, you see the following output: `Maglev Web install feature disabled`

Reenable the Wizard

If the browser-based configuration wizard is currently disabled on an appliance, reenable it before you complete the following tasks:

Add nodes to a three-node Cisco DNA Center cluster on which you plan to enable high availability (HA).
Remove a node from a three-node cluster that has HA enabled and replace it with a new node. In this case, ensure that the browser-based configuration wizard is enabled on at least one of the other two cluster nodes.

Note

Only users with root privileges can complete this procedure.

Procedure

Step 1	In an SSH client, log in to your Cisco DNA Center appliance using the IP address that you entered during configuration. When prompted, enter your username and password.
Step 2	Reenable the wizard by running the maglev-config webinstall enable command. After the operation completes, you see the following output: `Maglev Web install feature enabled`

Upgrade Legacy Devices

If you have legacy network devices, you must upgrade them to the latest device software:

To view the software versions that Cisco SD-Access supports, see the Cisco SD-Access Product Compatibility page.
To view general device support information for Cisco DNA Center, see the Cisco DNA Center Supported Devices spreadsheet.

Some devices, such as Cisco Aironet 1800 Series Access Points Version 8.5, use TLSV1, which is not secure. You must upgrade the device software version to 8.8 to upgrade the TLS version.

Secure Network Data

Cisco DNA Center lets you use the Data Anonymization feature to hide the identity of wired and wireless end clients in the Cisco DNA Assurance dashboard. For details, see "View or Update Collector Configuration Information" in the Cisco DNA Assurance User Guide.

Syslog Management

Cisco DNA Center protects syslogs for user-sensitive data such as username, password, IP address, and so on.

View Audit Logs

Audit logs capture information about the various applications running on Cisco DNA Center. Audit logs also capture information about device public key infrastructure (PKI) notifications. The information in these audit logs can be used to assist in troubleshooting issues, if any, involving the applications or the device PKI certificates.

Audit logs also record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system get logged in separate log files for auditing.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Activities > Audit Logs.

The Audit Logs window appears, where you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on Cisco DNA Center.

Step 2

Click the timeline slider to specify the time range of data you want displayed on the window:

In the Time Range area, choose a time range: Last 2 Weeks, Last 7 Days, Last 24 Hours, or Last 3 Hours.
To specify a custom range, click By Date and specify the start and end date and time.
Click Apply.

Step 3

Click the arrow next to an audit log to view the corresponding child audit logs.

Each audit log can be a parent to several child audit logs. By clicking the arrow, you can view a series of additional child audit logs.

Note

An audit log captures data about a task performed by Cisco DNA Center. Child audit logs are subtasks to a task performed by Cisco DNA Center.

Step 4

(Optional) From the list of audit logs in the left pane, click a specific audit log message. In the right pane, click Event ID > Copy Event ID to Clipboard. With the copied ID, you can use the API to retrieve the audit log message based on the event ID.

The audit log displays the Description, User, Interface, and Destination of each policy in the right pane.

Note

The audit log displays northbound operation details such as POST, DELETE, and PUT with payload information, and southbound operation details such as the configuration pushed to a device. For detailed information about the APIs on Cisco DevNet, see Cisco DNA Center Platform Intent APIs.

Step 5

(Optional) Click Filter to filter the log by User ID, Log ID, or Description.

Step 6

Click Subscribe to subscribe to the audit log events.

A list of syslog servers appears.

Step 7

Check the syslog server check box that you want to subscribe to and click Save.

Note

Uncheck the syslog server check box to unsubscribe from the audit log events and click Save.

Step 8

In the right pane, use the Search field to search for specific text in the log message.

Step 9

In the Cisco DNA Center GUI, click the Menu icon () and choose Activities > Scheduled Tasks to view upcoming, in progress, completed, and failed administrative tasks, such as OS updates or device replacements.

Step 10

In the Cisco DNA Center GUI, click the Menu icon () and choose Activities > Work Items tab to view in progress, completed, and failed work items.

Export Audit Logs to Syslog Servers

Security Recommendation: We strongly encourage you to export audit logs from Cisco DNA Center to a remote Syslog Server in your network, for more secure and easier log monitoring.

You can export the audit logs from Cisco DNA Center to multiple syslog servers by subscribing to them.

Before you begin

You must configure the syslog servers in the System > Settings > External Services > Destinations > Syslog area.

Procedure

Step 1	In the Cisco DNA Center GUI, click the Menu icon () and choose Activities > Audit Logs.
Step 2	Click Subscribe.
Step 3	Select the syslog servers that you want to subscribe to and click Save.
Step 4	To unsubscribe, deselect the syslog servers and click Save.

View Audit Logs in Syslog Server Using APIs

With Cisco DNA Center platform, you can use APIs to view audit logs in syslog servers. Using the Create Syslog Event Subscription API from the Developer Toolkit, you must create a syslog subscription for audit log events.

Whenever an audit log event occurs, the syslog server lists the audit log events.

View Security Advisories Report

Cisco DNA Center provides the functionality to create a Security Advisory report, which scans your Cisco network devices for relevant security advisories, and contains information about publicly reported vulnerabilities.

Security Recommendation: We strongly encourage that you periodically review and run this report to understand the impact of published Cisco security advisories that may affect your network, and take appropriate actions if necessary.

The Security Advisories report will display device data and related advisory data such as: Device Name, IP Address, Device Type, Serial Number, Image Version, Site, Advisory ID, CVSS Score, and Impact.

Note

Each row in the report is a unique match of device and advisory, since there can be a one-to-many relationship between devices and advisories.
For devices that were not scanned, they are included in the report and labeled as not scanned.
For devices that were scanned and have no advisories, they are labeled as no advisories found.

For detailed information and instructions on how to run the security advisories report, see the section "Run a Security Advisories Report" in the Cisco DNA Center Platform User Guide.

Cisco DNA Center Security Best Practices Guide

Available Languages

Download Options

Security Hardening Overview

Cisco DNA Center Hardening Steps

User Role Considerations

Secure Your Cisco DNA Center Deployment

Communication Ports

Enable Cisco DNA Center Disaster Recovery

Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names

Secure the Management Interface

Rate Limit IP Traffic to an Interface

Before you begin

Procedure

Change the Minimum TLS Version and Enable RC4-SHA (Not Secure)

Before you begin

Procedure

Cisco DNA Center’s Use of OCSP and CRL for HTTPS Connections

Procedure

Manage Credentials and Passwords

Change Web UI Users and Linux/Maglev User Password

Procedure

Default Certificates

Certificate and Private Key Support

Certificate Chain Support

Generate a Certificate Request Using Open SSL

Procedure

Update the Cisco DNA Center Server Certificate

Before you begin

Procedure

PKI Certificate Authority

Change the Role of the PKI Certificate from Root to Subordinate

Before you begin

Procedure

Provision a Rollover Subordinate CA Certificate

Before you begin

Procedure

Configure the Device Certificate Lifetime

Procedure

Cisco DNA Center Trustpool Support

Check the Certificate on the PnP Server

Procedure

Certificates for Systems That Peer with Cisco DNA Center

Disable SFTP Compatibility Mode

Newer Cisco DNA Center Versions

Procedure

Older Cisco DNA Center Versions

Procedure

Browser-Based Appliance Configuration Wizard

Disable the Wizard

Procedure

Reenable the Wizard

Procedure

Upgrade Legacy Devices

Secure Network Data

Syslog Management

View Audit Logs

Procedure

Export Audit Logs to Syslog Servers

Before you begin

Procedure

View Audit Logs in Syslog Server Using APIs

View Security Advisories Report

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions

This Document Applies to These Products