Cisco DNA Center Security Best Practices Guide

First Published: 2018-12-19

Last Modified: 2023-04-12

Security Hardening Overview

Cisco Digital Network Architecture (Cisco DNA) Center is a highly advanced and capable enterprise controller
for the Cisco network platform. As one of the most critical infrastructure components of enterprise networks,
Cisco DNA Center must be deployed securely. This guide explains the best practices that must be followed
to ensure a secure deployment. To mitigate possible security risks, if any, you must carefully evaluate the
multilayered security considerations for Cisco DNA Center in your network infrastructure, and take the
necessary actions recommended in this guide.

Note This guide is updated on a regular basis when new security features are introduced in Cisco DNA Center. We
recommend that you bookmark this guide and download the latest version from cisco.com.

Cisco DNA Center Hardening Steps

Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices
that it monitors and manages. You must clearly understand and configure the security features correctly. We
strongly recommend that you follow these security recommendations:
• Deploy Cisco DNA Center in a private internal network and behind a firewall that does not expose Cisco
DNA Center to an untrusted network, such as the internet.
• If you have separate management and enterprise networks, connect Cisco DNA Center's management
and enterprise interfaces to your management and enterprise networks, respectively. Doing so ensures
network isolation between the services used to administer and manage Cisco DNA Center and the services
used to communicate with and manage your network devices.
• If deploying Cisco DNA Center in a three-node cluster setup, verify that the cluster interfaces are connected
in an isolated network.
• Upgrade Cisco DNA Center with critical upgrades, including security patches, as soon as possible after
a patch announcement. For more information, see the Cisco DNA Center Upgrade Guide.
• Restrict the remote URLs accessed by Cisco DNA Center using an HTTPS proxy server. Cisco DNA
Center is configured to access the internet to download software updates, licenses, and device software,
as well as provide up-to-date map information, user feedback, and so on. Providing internet connections
for these purposes is a mandatory requirement. However, provide connections securely through an HTTPS
proxy server. For more information, see Secure Internet Access to Required Internet URLs and Fully
Qualified Domain Names, on page 10.

Cisco DNA Center Security Best Practices Guide

1
 User Role Considerations

• Restrict the ingress and egress management and enterprise network connections to and from Cisco DNA
Center using a firewall, by only allowing known IP addresses and ranges and blocking network connections
to unused ports. For more information, see Communication Ports, on page 3.
• Replace the self-signed server certificate from Cisco DNA Center with the certificate signed by your
internal certificate authority (CA).
• If possible, disable SFTP Compatibility Mode in your network environment. This mode allows legacy
network devices to connect to Cisco DNA Center using older cipher suites. For more information, see
Disable SFTP Compatibility Mode, on page 35.
• Disable the browser-based appliance configuration wizard, which comes with a self-signed certificate.
For more information, see Browser-Based Appliance Configuration Wizard, on page 36.
• Upgrade the minimum TLS version. Cisco DNA Center comes with TLSv1.1 and TLSv1.2 enabled by
default, and we recommend that you set the minimum TLS version to 1.2 if possible, in your network
environment. For more information, see Change the Minimum TLS Version and Enable RC4-SHA (Not
Secure), on page 11.

User Role Considerations

Users are assigned roles that control access to the functions that they are permitted to perform.
Cisco DNA Center supports the following user roles. For more information, see "About User Roles" and
"Create Local Users" in the Cisco DNA Center Administrator Guide.
• Administrator (SUPER-ADMIN-ROLE): Users with this role have full access to all Cisco DNA Center
functions. They can create other user profiles with various roles, including those with the
SUPER-ADMIN-ROLE. Restrict the number of users with this role.
• Network Administrator (NETWORK-ADMIN-ROLE): Users with this role have full access to all
of the network-related Cisco DNA Center functions. However, they do not have access to system-related
functions, such as backup and restore.
• Observer (OBSERVER-ROLE): Users with this role have view-only access to Cisco DNA Center
functions. Users with an observer role cannot access any functions that configure or control Cisco DNA
Center or the devices it manages.

In addition to the above preconfigured user roles, Cisco DNA Center also supports the creation of user roles
with a custom fine-grained access policy, which allows the creation of custom roles to permit or restrict user
access to certain Cisco DNA Center functions. For more information, see "Configure Role Based Access
Control' in the Cisco DNA Center Administrator Guide.

Note We strongly recommend that you restrict the number of users with the Administrator role because administrators
have control over the configuration of critical functions.

Cisco DNA Center can use Cisco Identity Services Engine (ISE) or other authentication, authorization, and
accounting (AAA) servers for user authentication. For more information, see "Configure Authentication and
Policy Servers" in the Cisco DNA Center Administrator Guide.

Cisco DNA Center Security Best Practices Guide

2
 Secure Your Cisco DNA Center Deployment

Secure Your Cisco DNA Center Deployment

Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices
that it monitors and manages. We strongly recommend that you place Cisco DNA Center and Cisco ISE
behind a firewall in either a local data center (head of campus) or remote data center as shown here.

To access Cisco DNA Center through the GUI and to enable Cisco DNA Center to interact with network
devices, specific ports must be configured on the firewall. Cisco DNA Center integrates with the cloud and
is distributed across the globe for practical latency requirements.

Communication Ports
Security Recommendations:

Cisco DNA Center Security Best Practices Guide

3
 Communication Ports

• Deploy a firewall between Cisco DNA Center and the management or enterprise network for a defensive,
in-depth approach to secure the Cisco DNA Center deployment.
• Open the ports with specific IP addresses or ranges.

The following table lists the ports that Cisco DNA Center uses, the names of the services communicating over
these ports, and the product’s purpose in using them. The Recommended Action column indicates whether
you can restrict network traffic to known IP addresses or ranges, or block network connections to or from a
Cisco DNA Center port or service without affecting the functionality of Cisco DNA Center, or whether you
must leave the port open.
Some destination ports in Cisco DNA Center are duplicated. The subsections call out the usage and related
network service. You can limit the source or destination IP addresses or ranges in the firewall rules or choose
not to open the port if the service is not used in your Cisco DNA Center deployment.

Port Service Purpose Recommended Action

Name
Administering or Configuring Cisco DNA Center

TCP 443 UI, REST, GUI, REST, HTTPS management port. Port must be open.
HTTPS

TCP 2222 Cisco Connect to the Cisco DNA Center shell. Port must be open. Restrict the known IP
DNA address to be the source.
Center
shell

TCP 9004 Web UI Serves the GUI based installation page Port must be open until the installation of the
installation (required only if you choose to install Cisco node is complete.
DNA Center using the web-based option).

TCP 9005 Web UI Serves the API for the web-based installation Port must be open until the cluster formation is
installation (connected by the browser client from port complete.
API 9004; no external agent requires access).
service

Administering or Configuring Cisco IMC

TCP 22 Cisco Connects to the Cisco DNA Center shell. Port must be open. Configure the known IP
DNA address as the source.
Center
shell
UDP and TCP 53 DNS Used to resolve a DNS name to an IP address. Port must be open if DNS names are used
instead of IP addresses for other services (such
as an NTP DNS name).
UDP and TCP 389 LDAP Cisco IMC user management LDAP. Optional if external user authentication via
LDAP is needed.
TCP 443 UI, REST, Web UI, REST, HTTPS management port. Port must be open.
HTTPS
UDP and TCP 636 LDAPS Cisco IMC user management via LDAP over Optional if external user authentication via
SSL. LDAPS is needed.

Cisco DNA Center Security Best Practices Guide

4
 Communication Ports

Port Service Purpose Recommended Action

Name
TCP 2068 HTTPS Remote KVM console redirect port. Port must be open until installation of the node
is complete.
UDP 123 NTP Synchronize the time with an NTP server. Port must be open.
UDP 161 SNMP SNMP server polling and configurations. Optional for SNMP server polling and
Polling/Config configurations.
UDP 162 SNMP Send SNMP traps to an external SNMP server. Optional for a SNMP server collector.
Traps
UDP 514 Syslog View faults and logs on an external server. Optional for sending message logs to an
external server.
Cisco DNA Center Outbound to Device and Other Systems
— ICMP Cisco DNA Center uses ICMP messages to Enable ICMP.
discover network devices and troubleshoot
network connectivity issues.

TCP 22 SSH Cisco DNA Center uses SSH to connect to SSH must be open between Cisco DNA Center
network devices so that it can: and the following:
• Read the device configuration for • The managed network
discovery.
• Cisco ISE
• Make configuration changes.

Cisco DNA Center also uses SSH to connect

to and complete initial integration with Cisco
ISE.

TCP 23 Telnet We strongly discourage the use of Telnet. Telnet can be used for device management, but
we do not recommend it because Telnet does
Note that although Telnet is discouraged, Cisco
not offer security mechanisms such as SSH.
DNA Center can use Telnet to connect to
devices in order to read the device configuration
for discovery, and make configuration changes.

TCP 49 TACACS+ Needed only if you are using external Port must be open only if you are using external
authentication such as Cisco ISE with a authentication with a TACACS+ server.
TACACS+ server.

TCP 80 HTTP Cisco DNA Center uses HTTP for trust pool To access Cisco-supported trust pools,
updates. configure your network to allow outgoing
traffic from the appliance to the following URL:
http://www.cisco.com/security/pki/

UDP 53 DNS Cisco DNA Center uses DNS to resolve Port must be open for DNS hostname
hostnames. resolution.

UDP 123 NTP Cisco DNA Center uses NTP to synchronize Port must be open for time synchronization.
the time from the source that you specify.

Cisco DNA Center Security Best Practices Guide

5
 Communication Ports

Port Service Purpose Recommended Action

Name
UDP 161 SNMP Cisco DNA Center uses SNMP to discover Port must be open for network device
network devices; to read device inventory management and discovery.
details, including device type; and for telemetry
data purposes, including CPU and RAM.

TCP 443 HTTPS Cisco DNA Center uses HTTPS for Port must be open for cloud tethering,
cloud-tethered upgrades. telemetry, and software upgrades.

TCP 830 NETCONF Cisco DNA Center uses NETCONF for device Port must be open for network device
inventory, discovery, and configuration. management and discovery of devices that
support NETCONF.

UDP 1645 or 1812 RADIUS Needed only if you are using external Port must be open only if an external RADIUS
authentication with a RADIUS server. server is used to authenticate user login to Cisco
DNA Center.

TCP 5222, 8910 Cisco ISE Cisco DNA Center uses Cisco ISE XMP for Port must be open for Cisco ISE.
PxGrid.

TCP 9060 Cisco ISE Cisco DNA Center uses Cisco ISE ERS API Port must be open for Cisco ISE.
traffic.

Device to Cisco DNA Center

— ICMP Devices use ICMP messages to communicate Enable ICMP.
network connectivity issues.

TCP 22, 80, 443 HTTPS, Software image download from Cisco DNA Ensure that firewall rules limit the source IP of
SFTP, Center through HTTPS:443, SFTP:22, the hosts or network devices allowed to access
HTTP HTTP:80. Cisco DNA Center on these ports.
Certificate download from Cisco DNA Center Note We do not recommend the use of
through HTTPS:443, HTTP:80 (Cisco 9800 HTTP 80. Use HTTPS 443
Wireless Controller, PnP), Sensor/Telemetry. wherever possible.
Note Block port 80 if you don't use
Plug and Play (PnP), Software
Image Management (SWIM),
Embedded Event Management
(EEM), device enrollment, or
Cisco 9800 Wireless Controller.

UDP 123 NTP Devices use NTP for time synchronization. Port must be open to allow devices to
synchronize the time.

UDP 162 SNMP Cisco DNA Center receives SNMP network Port must be open for data analytics based on
telemetry from devices. SNMP.

UDP 514 Syslog Cisco DNA Center receives syslog messages Port must be open for data analytics based on
from devices. syslog.

Cisco DNA Center Security Best Practices Guide

6
 Enable Cisco DNA Center Disaster Recovery

Port Service Purpose Recommended Action

Name
UDP 6007 NetFlow Cisco DNA Center receives NetFlow network Port must be open for data analytics based on
telemetry from devices. NetFlow.

TCP 9991 Wide Area Cisco DNA Center receives multicast Domain Port must be open on Cisco DNA Center if the
Bonjour Name System (mDNS) traffic from the Service Bonjour application is installed.
Service Discovery Gateway (SDG) agents using the
Bonjour Control Protocol.

UDP 21730 Application Application Visibility Service CBAR device Port must be open when CBAR is enabled on
Visibility communication. a network device.
Service

TCP 25103 Cisco Used for telemetry. Port must be open for telemetry connections
9800 between Cisco DNA Center and Catalyst 9000
Wireless devices.
Controller
and Cisco
Catalyst
9000
switches
with
streaming
telemetry
enabled

TCP 32626 Intelligent Used for receiving traffic statistics and packet Port must be open if you are using the Cisco
Capture - capture data used by the Cisco DNA DNA Assurance Intelligent Capture (gRPC)
(gRPC) Assurance Intelligent Capture (gRPC) feature. feature.
collector

Enable Cisco DNA Center Disaster Recovery

Cisco DNA Center provides a mechanism to recover from a Cisco DNA Center cluster loss (or a data center
loss) and maintain operational continuity. This is achieved through the Disaster Recovery application of Cisco
DNA Center, which replicates all the essential data from the main Cisco DNA Center cluster to a second
standby (recovery) Cisco DNA Center cluster.
Security Recommendation: We recommend that you enable Cisco DNA Center's Disaster Recovery Service,
to recover from a Cisco DNA Center cluster loss (or a data center loss) and maintain operational continuity.
The Cisco DNA Center recovery cluster contains all the essential data (Mongodb, Postgresql, credentials and
certificates, file service) replicated from the main Cisco DNA Center cluster, and takes over control in case
the main Cisco DNA Center cluster is lost. For more information, see "Configure Disaster Recovery" in the
Cisco DNA Center Administrator Guide.

Cisco DNA Center Security Best Practices Guide

7
 Disaster Recovery Ports

Note Disaster recovery uses IPsec tunneling to secure network traffic between disaster recovery systems (main,
recovery, and witness). Authentication to set up the IPsec tunneling between disaster recovery systems is done
through certificate-based authentication (OpenSSL certificates).
For the key-exchange phase of the IPsec protocol, IPsec tunneling uses the secure and robust IKE2 protocol.

Use a separate certificate (as from Cisco DNA Center system certificate for HTTPS connections) for Disaster
Recovery. For more information, see "Add Disaster Recovery Certificate" in the Cisco DNA Center
Administrator Guide.

Disaster Recovery Ports

If you are using disaster recovery in your production environment, see the following table to plan the firewall
and security policies you'll use to secure your disaster recovery setup. Ensure that the ports listed here are
open so that Cisco DNA Center has the access it requires to set up disaster recovery across your network's
data centers.

Source Source Destination Destination Description

Port Port
Any Cisco DNA Center TCP 443 Cisco DNA Center REST API Access
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center UDP 500 Cisco DNA Center IPSec tunnel
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center TCP 873 Cisco DNA Center Replication of GlusterFS data through rsync
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center UDP 4500 Cisco DNA Center IPSec tunnel
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center TCP 8300 Cisco DNA Center Consul RPC communication
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center TCP 8301 Cisco DNA Center Consul SERF LAN port
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center UDP 8301 Cisco DNA Center Consul SERF LAN port
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center TCP 8302 Cisco DNA Center Consul SERF WAN port1
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center UDP 8302 Cisco DNA Center Consul SERF WAN port1
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center TCP 8443 Cisco DNA Center HA proxy API access 2
Enterprise IP/VIP Enterprise VIP

Any Cisco DNA Center UDP 500 Witness IP IPSec tunnel

Enterprise IP/VIP

Cisco DNA Center Security Best Practices Guide

8
 Disaster Recovery Ports

Source Source Destination Destination Description

Port Port
Any Cisco DNA Center TCP 2222 Witness IP TCP ping for witness reachability
Enterprise IP/VIP

Any Cisco DNA Center UDP 4500 Witness IP IPSec tunnel

Enterprise IP/VIP

Any Cisco DNA Center TCP 8300 Witness IP Consul RPC communication
Enterprise IP/VIP

Any Cisco DNA Center TCP 8301 Witness IP Consul SERF LAN port
Enterprise IP/VIP

Any Cisco DNA Center UDP 8301 Witness IP Consul SERF LAN port
Enterprise IP/VIP

Any Cisco DNA Center TCP 8302 Witness IP Consul SERF WAN port1
Enterprise IP/VIP

Any Cisco DNA Center UDP 8302 Witness IP Consul SERF WAN port1
Enterprise IP/VIP

Any Cisco DNA Center TCP 8443 Witness IP HA proxy API access 2
Enterprise IP/VIP

Any Cisco DNA Center TCP 179 Neighbor router BGP session with neighbor router
Enterprise/
Note Open this port if BGP is configured to
Management VIP
advertise the disaster recovery VIP.

Any Witness IP UDP 53 DNS Server From witness to DNS server

Any Witness IP UDP 123 NTP Server From witness to NTP server

Any Witness IP TCP 443 Cisco DNA Center Access APIs during disaster recovery registration
Enterprise VIP

Any Witness IP UDP 500 Cisco DNA Center IPSec tunnel

Enterprise VIP

Any Witness IP UDP 4500 Cisco DNA Center IPSec tunnel

Enterprise VIP

Any Witness IP TCP 8300 Cisco DNA Center Consul RPC communication
Enterprise VIP

Any Witness IP TCP 8301 Cisco DNA Center Consul SERF LAN port
Enterprise VIP

Any Witness IP UDP 8301 Cisco DNA Center Consul SERF LAN port
Enterprise VIP

Cisco DNA Center Security Best Practices Guide

9
 Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names

Source Source Destination Destination Description

Port Port
Any Witness IP TCP 8302 Cisco DNA Center Consul SERF WAN port1
Enterprise VIP

Any Witness IP UDP 8302 Cisco DNA Center Consul SERF WAN port1
Enterprise VIP

Any Witness IP TCP 8443 Cisco DNA Center HA proxy API access 2
Enterprise VIP
1
This requirement will be removed in a future Cisco DNA Center release.
2
This requirement will be added in a future Cisco DNA Center release.

Secure Internet Access to Required Internet URLs and Fully Qualified Domain Names
Security Recommendation: We recommend that you allow secure access only to URLs and Fully Qualified
Domain Names required by Cisco DNA Center, through an HTTP(s) proxy.
For more information, see "Required Internet URLs and Fully Qualified Domain Names" and "Provide Secure
Access to the Internet" sections in the latest Cisco DNA Center Second-Generation Appliance Installation
Guide.

Secure the Management Interface

If you are using Cisco Integrated Management Controller (IMC), the first security action to perform on the
Cisco DNA Center appliance is to secure the out-of-band management interface (Cisco IMC) account. Change
the default password of the admin account to a stronger value as per the password policy. See "Enable Browser
Access to Cisco IMC" in the Cisco DNA Center Appliance Installation Guide and "Configure External
Authentication" in the Cisco DNA Center Administrator Guide.

Note You must secure the password of Maglev CLI users with super admin access. For details, see "Configure the
Primary Node" in the Cisco DNA Center Appliance Installation Guide.

Rate Limit IP Traffic to an Interface

Security Recommendation: We recommend that you rate limit the incoming IP traffic to Cisco DNA Center
from your network devices.
By default, Cisco DNA Center does not rate limit IP traffic to its interfaces. However, we recommend that
you rate limit the incoming IP traffic from a specific source IP or all the traffic to a Cisco DNA Center interface
(from a specific source IP or all the traffic) for protecting against DoS/DDoS attacks from internal network
threats.

Before you begin

You must have maglev SSH access privileges to perform this procedure.

Cisco DNA Center Security Best Practices Guide

10
 Change the Minimum TLS Version and Enable RC4-SHA (Not Secure)

Procedure

Step 1 Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using
the configuration wizard.
The IP address that you must enter for the SSH client is the one you configured for the network adapter. This
IP address connects the appliance to the external network.

Step 2 When prompted, enter your username and password for SSH access.
Step 3 Enter the following command to restrict the incoming traffic from a specific source:
/opt/maglev/bin/throttle_ip [options]
Options
-h show this help text
-i IP to rate limit (default: 0.0.0.0 i.e. ALL traffic)
-c Committed Information Rate in KBps (default: 100 K Bps)
-n Interface number (Mandatory parameter)
-d delete the last config and move the NIC to default configuration
-a Insert the new IP (to be throttled) in the already build filter list
-s show the current filter

Note If you don’t enter a specific IP address, the full interface is throttled. The mandatory interface
name limits the input transmission rate for all classes of traffic based on user-defined criteria.
Examples
#To create a new filter list
./throttle_ip -i 192.0.2.105 -n enp0s8 -c 256

#To add a new IP with different bandwidth

./throttle_ip -a 192.0.2.106 -n enp0s8 -c 512

#To delete all the IP from the List

./throttle_ip -d -n enp0s8

#To show the filters

./throttle_ip -s -n enp0s8

Step 4 Log out of the Cisco DNA Center appliance.

Change the Minimum TLS Version and Enable RC4-SHA (Not Secure)
Security Recommendation: We recommend that you upgrade the minimum TLS version to TLSv1.2 for
incoming TLS connections to Cisco DNA Center.
Northbound REST API requests from an external network, such as northbound REST API-based apps,
browsers, and network devices connecting to Cisco DNA Center using HTTPS are made secure using the
Transport Layer Security (TLS) protocol.
By default, Cisco DNA Center supports TLSv1.1 and TLSv1.2, and does not support RC4 ciphers for SSL/TLS
connections. Since RC4 ciphers have well known weaknesses, we recommend that you upgrade the minimum
TLS version to TLSv1.2 if your network devices support it.
Cisco DNA Center provides a configuration option to downgrade the minimum TLS version and enable
RC4-SHA if your network devices under Cisco DNA Center control cannot support the existing minimum
TLS version (TLSv1.1) or ciphers. For security reasons, however, we recommend that you do not downgrade
Cisco DNA Center TLS version or enable RC4-SHA ciphers.

Cisco DNA Center Security Best Practices Guide

11
Change the Minimum TLS Version and Enable RC4-SHA (Not Secure)

To change the TLS version or enable RC4-SHA for Cisco DNA Center, log in to the corresponding appliance
and use the CLI.

Note CLI commands can change from one release to the next. The following CLI example uses command syntax
that might not apply to all Cisco DNA Center releases.

Before you begin

You must have maglev SSH access privileges to perform this procedure.

Note This security feature applies to port 443 on Cisco DNA Center. Performing this procedure may disable traffic
on the port to the Cisco DNA Center infrastructure for a few seconds. For this reason, you should configure
TLS infrequently and only during off-peak hours or during a maintenance period.

Procedure

Step 1 Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified using
the configuration wizard.
The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This
IP address connects the appliance to the external network.

Step 2 When prompted, enter your username and password for SSH access.
Step 3 Enter the following command to check the TLS version currently enabled on the cluster.
The following is an example:
Input
$ magctl service tls_version --tls-min-version show
Output
TLS minimum version is 1.1

Step 4 If you want to change the TLS version on the cluster, enter the following commands. For example, you might
want to change the current TLS version to an earlier version if your network devices under Cisco DNA Center
control cannot support the existing TLS version.
The following example shows how to change from TLS Version 1.1 to 1.0:
Input
$ magctl service tls_version --tls-min-version 1.0
Output
Enabling TLSv1.0 is recommended only for legacy devices
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.0 for api-gateway
deployment.extensions/kong patched

The following example shows how to change from TLS Version 1.1 to 1.2 (only allowed if you haven't enabled
RC4-SHA):
Input
$ magctl service tls_version --tls-min-version 1.2
Output
Enabling TLSv1.2 will disable TLSv1.1 and below

Cisco DNA Center Security Best Practices Guide

12
 Change the Minimum TLS Version and Enable RC4-SHA (Not Secure)

Do you want to continue? [y/N]: y

WARNING: Enabling TLSv1.2 for api-gateway
deployment.extensions/kong patched

Note Setting TLS Version 1.2 as the minimum version is not supported when RC4-SHA ciphers are
enabled.

Step 5 If you want to change the TLS version for streaming telemetry connections between Cisco DNA Center and
Catalyst 9000 devices (via the TCP 25103 port), enter the following command. For example, you might want
to change the current TLS version if the network devices Cisco DNA Center manages can support TLS version
1.2.
The following example shows how to change from TLS Version 1.1 to 1.2:
Input
$ magctl service tls_version --tls-min-version 1.2 -a assurance-backend collector-iosxe-db
Output
Enabling TLSv1.2 will disable TLSv1.1 and below
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.2 for api-gateway
deployment.apps/collector-iosxe-db patched

Step 6 Enter the following command to enable RC4-SHA on a cluster (not secure; proceed only if needed).
Enabling RC4-SHA ciphers is not supported when TLS Version 1.2 is the minimum version.
The following example shows TLS version 1.2 is not enabled:
Input
$ magctl service ciphers --ciphers-rc4=enable kong
Output
Enabling RC4-SHA cipher will have security risk
Do you want to continue? [y/N]: y
WARNING: Enabling RC4-SHA Cipher for kong
deployment.extensions/kong patched

Step 7 Enter the following command at the prompt to confirm that TLS and RC4-SHA are configured.
The following is an example:
Input
$ magctl service display kong
Output
containers:
- env:
- name: TLS_V1
value: "1.1"
- name: RC4_CIPHERS
value: "true"

Note If RC4 and TLS minimum versions are set, they are listed in the env: of the magctl service
display kong command. If these values are not set, they do not appear in the env:.

Step 8 To disable the RC4-SHA ciphers that you enabled previously, enter the following command on the cluster:
Input
$ magctl service ciphers --ciphers-rc4=disable kong
Output
WARNING: Disabling RC4-SHA Cipher for kong
deployment.extensions/kong patched

Step 9 Log out of the Cisco DNA Center appliance.

Cisco DNA Center Security Best Practices Guide

13
 Use of OCSP and CRL for HTTPS Connections by Cisco DNA Center

Use of OCSP and CRL for HTTPS Connections by Cisco DNA Center
Cisco DNA Center uses Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) to
confirm that a remote certificate is not revoked.

Procedure

Step 1 Cisco DNA Center checks for OCSP. If a valid OCSP URI or URL is present in the Authority Information
Access (AIA) field of the certificate, Cisco DNA Center sends an OCSP request to the URI or URL to validate
its revocation status.
• If the certificate is revoked, Cisco DNA Center terminates the connection and returns an error.
• If the certificate is not revoked, proceed with the connection.
• If the connection times out, for example, in an air-gapped network, continue with the next step.
• If the connection reaches an unauthentic OCSP or CRL responder, Cisco DNA Center terminates the
connection and returns an error. If an Man in the Middle (MiTM) web proxy, such as Cisco Web Security
appliances (WSA), is used for internet - bound traffic, ensure that it is configured to permit the OCSP
and CRL URLs from Cisco DNA Center.

Step 2 Cisco DNA Center checks for CRL. If the certificate includes the CRL Distribute Points field, and that field
has at least one entry with a valid CRL URI or URL, Cisco DNA Center downloads the CRL from the URI
or URL, and validates the certificate against the downloaded CRL.
• If the certificate is revoked, Cisco DNA Center terminates the connection and returns an error.
• If the certificate is not revoked, proceed with the connection.
• If the connection times out, for example, in an air-gapped network, proceed with the connection, because
this is the final check, and there is no way to determine that the certificate is revoked.
• If the connection reaches an unauthentic OCSP or CRL responder, Cisco DNA Center terminates the
connection and returns an error. If an MiTM web proxy, such as Cisco WSA, is used for internet - bound
traffic, ensure that it is configured to permit the OCSP and CRL URLs from Cisco DNA Center.

Note Cisco DNA Center supports HTTP-type CRL or OCSP, and does not support the use of
Lightweight Directory Access Protocol (LDAP) CRL.
For example, while requesting a certificate for the remote system with Microsoft Certification
Authority, you can configure the CDP and AIA extensions to add the OCSP or HTTP URL and
remove the LDAP CRL. For details, see Configure the CDP and AIA Extensions on CA1.

Manage Credentials and Passwords

Cluster Password
Cisco DNA Center supports cluster formation with three nodes. For efficiency and security, we recommend
the following:

Cisco DNA Center Security Best Practices Guide

14
 Change Web UI Users and Linux or Maglev User Password

• The cluster should be created with dedicated separated interfaces for connecting to the enterprise network,
forming an intracluster network, and connecting to a dedicated management network.
• The intracluster network is created as an isolated Layer 2 segment and not connected or routed through
any other network segments.
• You should not reuse passwords (Cisco IMC or SSH) across the Cisco DNA Center cluster members.

SSH or Maglev Password Recovery

You must secure the SSH password. Share the SSH password only with the super admin. Cisco DNA Center
does not provide the functionality to recover the SSH password.
SSH Account Lockout and Recovery
After six consecutive failed login attempts over SSH, the maglev account will be temporarily locked for five
minutes from the time of last failed attempt. During this lockout period, login attempts with the correct
password will also fail, and be counted as a failed login. The account will be unlocked for SSH login only
after five minutes of no login activity. However, login using the Cisco IMC console will continue to work
even during the lockout period. The administrator can enable SSH login during the lockout period, by executing
the following command in the Linux shell:
sudo pam_tally2 --reset

Web UI Password Recovery

If a web UI user's password is lost, the password can be reset using the command-line shell, which requires
SSH or console access. See "Reset a Forgotten Password" in the Cisco DNA Center Administrator Guide.
Password Encryption
By default, Cisco DNA Center's pluggable authentication module (PAM) uses the SHA-512 hashing algorithm
to store and hash local user account passwords (the strongest method available for UNIX-based systems). No
user-configurable action is available for Cisco DNA Center’s password encryption mechanism.
Logs and Database Management
System logs are available to the operating system administrator user with escalated privileges (sudo access).
The application logs are stored in Elasticsearch, and can be accessed through the web UI after authentication.
The databases are protected by credentials, which are randomly generated during installation, and securely
passed to the applications that need database access. No user-configurable action is available to change these
settings.
Communication Protocol Payload Encryption
In clustered mode, Cisco DNA Center nodes communicate with each other through the intracluster network.
No separate encryption is applied to the intracluster traffic. It is important to keep the intracluster network
isolated.

Note Services that exchange sensitive data among themselves use HTTPS.

Change Web UI Users and Linux or Maglev User Password

Security Recommendation: We recommend that you regularly change Cisco DNA Center GUI user passwords
and Maglev user password.

Cisco DNA Center Security Best Practices Guide

15
 Manage Certificates

Procedure

Step 1 To change the Linux or Maglev user password, do the following:

a) Using an SSH client, log in to the Cisco DNA Center appliance with the IP address that you specified
using the configuration wizard. The IP address to enter for the SSH client is the IP address that you
configured for the network adapter.
b) When prompted, enter your username and password for SSH access.
c) Enter the following command:
Input
$ sudo maglev-config update

The Maglev configuration wizard's welcome screen opens.

d) Click next>> until you see the User Account Settings wizard screen.
e) Enter the maglev user's Linux password.
f) Click next>> until you see the CONFIGURATION SUCCEEDED! message.
Note For more information, see the "Configure the Appliance Using the Maglev Wizard" chapter
in the Cisco DNA Center Second-Generation Appliance Installation Guide.

Step 2 For changing the GUI user password, do the following:

Note that only you can change the password that you enter to log in to Cisco DNA Center. Even a user with
administrator privileges cannot change a user's password. If an administrator needs to change a user's password,
they must delete and re-add the user, using a new password.
a) Log in to Cisco DNA Center web UI.
b) Click the menu icon ( ) and choose System > Users & Roles > Change Password.
c) Enter information in the required fields and click Update.

Manage Certificates
Default Certificates
Security Recommendation: We recommend that you change the default Cisco DNA Center TLS certificate
with a certificate signed by your internal certificate authority.
By default, Cisco DNA Center uses self-signed certificates. Cisco DNA Center manages the devices using
the devices' self-signed certificates, unless otherwise deployed. We strongly recommend that you use a
certificate signed by your internal certificate authority during deployment.

Cisco DNA Center Security Best Practices Guide

16
 Certificate and Private Key Support

Note Changing the Cisco DNA Center certificate from either self-signed to certificate-signed by your internal CA
or from root CA to subordinate CA disrupts network operations. When this happens, network devices need
to establish trust with the new CA before connections can be established. The devices will then be automatically
reprovisioned with the new CA using device controllability.
Existing connections that have already been established are not impacted. However, if a connection is lost for
some reason (such as a power outage or reboot), network devices will need to establish trust with the new CA
before connections can be established.
As a result, we strongly recommend that you upgrade certificates before you begin the deployment.

Certificate and Private Key Support

Cisco DNA Center supports the PKI Certificate Management feature, which is used to authenticate sessions
(HTTPS). These sessions use commonly recognized trusted agents called CAs. Cisco DNA Center uses the
PKI Certificate Management feature to import, store, and manage X.509 certificates from your internal CA.
The imported certificate becomes an identity certificate for Cisco DNA Center, and Cisco DNA Center presents
this certificate to its clients for authentication. The clients are the northbound API applications and network
devices.
You can import the following files (in either PEM or PKCS file format) using the Cisco DNA Center GUI:
• X.509 certificate
• Private key

Note For the private key, Cisco DNA Center supports the import of RSA keys. Keep the private key secure in your
own key management system. The private key must have a minimum modulus size of 2048 bits.
With Cisco DNA Center 2.3.4.x and earlier, do not import DSA, DH, ECDH, and ECDSA key types, because
they are not supported. Cisco DNA Center 2.3.4.x and earlier does not support any form of ECDH and ECDSA,
which includes any leaf certificate tied to the certificate chain.
Cisco DNA Center 2.3.5 and later supports all key types.

Prior to import, you must obtain a valid X.509 certificate and private key issued by your internal CA and the
certificate must correspond to a private key in your possession. After import, the security functionality based
on the X.509 certificate and private key is automatically activated. Cisco DNA Center presents the certificate
to any device or application that requests it. Northbound API applications and network devices can use these
credentials to establish a trust relationship with Cisco DNA Center.

Note We recommend that you do not use and import a self-signed certificate to Cisco DNA Center. We recommend
that you import a valid X.509 certificate from your internal CA. Additionally, you must replace the self-signed
certificate (installed in Cisco DNA Center by default) with a certificate that is signed by your internal CA for
the Plug and Play functionality to work correctly.

Cisco DNA Center Security Best Practices Guide

17
 Certificate Chain Support

Cisco DNA Center supports only one imported X.509 certificate and private key at a time. When you import
a second certificate and private key, the latter overwrites the first (existing) imported certificate and private
key values.

Certificate Chain Support

Cisco DNA Center is able to import certificates and private keys through its GUI. If subordinate certificates
are involved in a certificate chain, leading to the certificate that is to be imported into Cisco DNA Center
(signed certificate), both the subordinate certificates as well as the root certificate of these subordinate CAs
must be appended together into a single file in order to be imported. When appending these certificates, you
must append them in the same order as the actual chain of certification.
The following certificates should be pasted together into a single PEM file. Review the certificate subject
name and issuer to ensure that the correct certificates are being imported and correct order is maintained.
Ensure that all of the certificates in the chain are pasted together.
• Signed Cisco DNA Center certificate: Its Subject field includes CN=<FQDN of Cisco DNA Center>,
and the issuer has the CN of the issuing authority.

Note If you install a third-party certificate, ensure that the certificate specifies all of
the DNS names (including the Cisco DNA Center FQDN) that are used to access
Cisco DNA Center in the alt_names section. For more information, see Step 2
in Generate a Certificate Request Using OpenSSL, on page 18.

• Issuing (subordinate) CA certificate that issues the Cisco DNA Center certificate: Its Subject field
has CN of the (subordinate) CA that issues the Cisco DNA Center certificate, and the issuer is that of
the root CA.
• Next issuing (root/subordinate CA) certificate that issues the subordinate CA certificate: Its Subject
field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, you
must append the next issuer, and so on.

Generate a Certificate Request Using OpenSSL

OpenSSL is often used to create certificate signing requests (CSR) and private keys. There's an OpenSSL
version for most platforms, including Windows, Linux, and Mac. Using OpenSSL, you will generate a
certificate on your computer and then upload it to Cisco DNA Center. Before you complete the following
procedure, install the OpenSSL version that's specific to your platform.

Note Refer to the following URL for a description of the most commonly used OpenSSL commands:
https://www.sslshopper.com/article-most-common-openssl-commands.html.

Procedure

Step 1 Ensure that the Cisco DNA Center hostname (FQDN) is set during Cisco DNA Center configuration by
entering the maglev cluster network display command. You must have root privileges to run this command:

Cisco DNA Center Security Best Practices Guide

18
 Generate a Certificate Request Using OpenSSL

Input
$ maglev cluster network display
Output
cluster_network:
cluster_dns: 169.254.20.10
cluster_hostname: fqdn.cisco.com

If the cluster_hostname output field is empty or is not what you want, add or change the Cisco DNA Center
hostname (FQDN) by entering the sudo maglev-config update command, as shown in the following example.
You must have root privileges to run this command.
Input
$ sudo maglev-config update
Output
Maglev config wizard GUI

Click Next until you see the step titled MAGLEV CLUSTER DETAILS containing the input prompt
Cluster's hostname. Set the hostname to the desired Cisco DNA Center FQDN. Click Next and Proceed
until Cisco DNA Center is reconfigured with the new FQDN.

Step 2 Using a text editor of your choice, create a file named openssl.cnf. Use the following example as your
guide, but adjust it to fit your deployment:
• Adjust default_bits and default_md if your certificate authority admin team requires 2048/sha256
instead.
• Specify values for every field in the req_distinguished_name and alt_names sections. The only exception
is the OU field, which is optional. Omit the OU field if your certificate authority admin team does not
require it.
• The emailAddress field is optional; omit it if your certificate authority admin team does not require it.
• alt_names section: The certificate configuration requirements vary depending on the Cisco DNA Center
version.
Limited support of FQDNs in the Cisco DNA Center certificate is available from Cisco DNA Center
2.1.1 onwards. However, FQDN support in the Cisco DNA Center certificate is not currently available
for LAN automation. If you plan to use LAN automation, you cannot use an FQDN-only certificate (even
from Cisco DNA Center 2.1.1 onwards).
For Cisco DNA Center versions earlier than 2.1.1 (and if you plan to use LAN automation in Cisco DNA
Center versions 2.1.1 and later), you need a certificate with IP addresses defined in the Subject Alternative
Name (SAN) field. See, Cisco DNA Center versions earlier than 2.1.1, and Cisco DNA Center
versions 2.1.1 onwards if you plan to use LAN automation bullet point mentioned below for guidance
regarding the alt_names section in this scenario.
The alt_names section configurations for Cisco DNA Center versions 2.1.1 and later (without LAN
automation support) are as follows.
Note For security reasons, we recommend that you only use FQDNs in the Cisco DNA Center
certificate (limited FQDN support is available from Cisco DNA Center 2.1.1 onwards without
LAN automation). If you want to use IP addresses instead of FQDNs in the certificate (or
need to because you are using LAN automation), complete the steps described in the Cisco
DNA Center versions earlier than 2.1.1, and Cisco DNA Center versions 2.1.1 onwards
if you plan to use LAN automation bullet point, ensuring that you enter IP addresses in
the SAN fields.

• Cisco DNA Center versions 2.1.1 and later (without LAN automation support):

Cisco DNA Center Security Best Practices Guide

19
Generate a Certificate Request Using OpenSSL

Pay close attention to the alt_names section, which must contain all DNS names (including the
Cisco DNA Center FQDN) that are used to access Cisco DNA Center, either by a web browser or
by an automated process such as PnP or Cisco ISE.
The first DNS entry in the alt_names section should contain Cisco DNA Center's FQDN (DNS.1
= FQDN-of-Cisco-DNA-Center). You cannot add a wildcard DNS entry in place of Cisco DNA
Center's FQDN, but you can use a wildcard in subsequent DNS entries in the alt-names section
(for PnP and other DNS entries). For example, *.domain.com is a valid entry.
Important • For Cisco DNA Center 2.1.1 and later, FQDN support is not available for LAN
automation.
• For Cisco DNA Center 2.1.1 and later, if the certificate only contains FQDNs, the
DHCP pool on the seed device needs to be edited in order for PnP to work. For
guidance, see the following information in Cisco DNA Center User Guide's
"Provision Your Network" chapter:
• PnP: At the end of the "DHCP Controller Discovery" topic, see the
information that begins with the following text: "If the Cisco DNA Center
system certificate has an FQDN-only SAN field....

• The alt_names section must contain FQDN-of-Cisco-DNA-Center as a DNS entry, and must match
the Cisco DNA Center hostname (FQDN) that is set during Cisco DNA Center configuration through
the configuration wizard (in the Cluster's hostname input field).
Cisco DNA Center currently supports only one hostname (FQDN) for all interfaces. If you are using
both the management port and the enterprise port in Cisco DNA Center to connect devices to Cisco
DNA Center in your network, you must configure the GeoDNS policy such that it resolves to the
management IP or virtual IP and enterprise IP/virtual IP for the Cisco DNA Center hostname (FQDN)
based on the network from which the DNS query is received. Setting up a GeoDNS policy is not
required if you are using only the enterprise port in Cisco DNA Center to connect devices to Cisco
DNA Center in your network.
Note If you have enabled disaster recovery for Cisco DNA Center:
• If you are using virtual IPs for Disaster Recovery, you must use the same cluster_hostname,
that is, the FQDN for Cisco DNA Center (set in Cisco DNA Center configuration wizard), in
both main and recovery clusters. Also, you must configure the GeoDNS policy such that it
resolves the disaster recovery management virtual IP and the disaster recovery enterprise virtual
IP for the Cisco DNA Center hostname (FQDN), based on the network from which the DNS
query is received. Setting up a GeoDNS policy is only required if you are using both the
management port and the enterprise port in Cisco DNA Center to connect devices to Cisco
DNA Center in your network. Certificate alt_names sections look similar to the following::
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center

• If you are not using virtual IPs for Disaster Recovery, you must use different cluster_hostnames,
that is the FQDNs for Cisco DNA Center in an enterprise network (set in Cisco DNA Center
configuration wizard), in both the main and recovery clusters. Also, you must configure a
GeoDNS policy such that it resolves the disaster recovery management IP and the disaster
recovery enterprise IP for the Cisco DNA Center hostname (FQDN) based on the network
from which the DNS query is received, for both the main and recovery clusters. Setting up a
GeoDNS policy is only required if you are using both the management and the enterprise port

Cisco DNA Center Security Best Practices Guide

20
 Generate a Certificate Request Using OpenSSL

in Cisco DNA Center for connecting devices to Cisco DNA Center in your network. Certificate
alt_names sections look similar to the following:
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center-Main
DNS.2 = FQDN-of-Cisco-DNA-Center-Recovery

For more information, see "Implement Disaster Recovery Certificate" in the Cisco DNA Center
Administrator Guide.

• Cisco DNA Center versions earlier than 2.1.1, and Cisco DNA Center versions 2.1.1 onwards
if you plan to use LAN automation:
Pay close attention to the alt_names section, which must contain all the IP addresses and DNS
names that are used to access Cisco DNA Center, either by a web browser or by an automated
process such as PnP or Cisco ISE. (The following example assumes a three-node Cisco DNA Center
cluster. If you have a standalone device, use SANs for only that node and the VIP. If you cluster
the device later, you might want to re-create the certificate to include the IP addresses of the new
cluster members.)

• If a cloud interface is not configured, omit the cloud port fields:

• In the extendedKeyUsage extension, the attributes serverAuth and clientAuth are mandatory. If
you omit either attribute, Cisco DNA Center rejects the SSL certificate.
• If you are importing a self-signed certificate (not recommended), it must contain the X.509 Basic
Constraints "CA:TRUE" extension, and the keyUsage extension must include keyCertSign.

Example of openssl.cnf (applicable for Cisco DNA Center versions 2.1.1 and later, without LAN automation
support)
req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = <two-letter-country-code>
ST = <state-or-province>
L = <city>
O = <company-name>
OU = MyDivision
CN = FQDN-of-Cisco-DNA-Center
emailAddress = responsible-user@mycompany.tld

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
DNS.3 = *.domain.com

Example of openssl.cnf (applicable for Cisco DNA Center versions earlier than 2.1.1, and Cisco DNA Center
versions 2.1.1 onwards if you plan to use LAN automation)
req_extensions = v3_req
distinguished_name = req_distinguished_name

Cisco DNA Center Security Best Practices Guide

21
Generate a Certificate Request Using OpenSSL

default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = <two-letter-country-code>
ST = <state-or-province>
L = <city> O = <company-name>
OU = MyDivision
CN = FQDN-of-Cisco-DNA-Center
emailAddress = responsible-user@mycompany.tld
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
IP.1 = Enterprise port IP node #1
IP.2 = Enterprise port IP node #2
IP.3 = Enterprise port IP node #3
IP.4 = Enterprise port VIP
IP.5 = Cluster port IP node #1
IP.6 = Cluster port IP node #2
IP.7 = Cluster port IP node #3
IP.8 = Cluster port VIP
IP.9 = GUI port IP node #1
IP.10 = GUI port IP node #2
IP.11 = GUI port IP node #3
IP.12 = GUI port VIP
IP.13 = Cloud port IP node #1
IP.14 = Cloud port IP node #2
IP.15 = Cloud port IP node #3
IP.16 = Cloud port VIP

Note If you don’t include the cluster IP addresses in the openssl.cnf file, you cannot schedule software
image activation. To fix this problem, add the cluster IP addresses as SANs to the certificate.

Step 3 Enter the following command to create a private key. Adjust the key length to 2048 if required by your
certificate authority admin team.
openssl genrsa -out csr.key 4096

Step 4 After populating the fields in the openssl.cnf file, use the private key that you created in the preceding step
to generate the Certificate Signing Request:
openssl req -config openssl.cnf -new -key csr.key -out DNAC.csr

Step 5 Verify the Certificate Signing Request content and ensure that the DNS names (and IP addresses for Cisco
DNA Center version earlier than 2.1.1) are populated correctly in the subjectAltName field..
openssl req -text -noout -verify -in DNAC.csr

Step 6 Copy the Certificate Signing Request and paste it to a CA, for example, MS CA:

Cisco DNA Center Security Best Practices Guide

22
 Generate a Certificate Request Using OpenSSL

Ensure that the certificate template you choose is configured for both client and server authentication (as
illustrated in the extendedKeyUsage line in Step 2's openssl.cnf file example).

Step 7 Proceed to gather the issued certificate and its issuer CA chain.
Step 8 If the certificate issuer provides the certificate full chain (server and CA) in p7b, do the following:
a) Download the p7b bundle in DER format and save it as dnac-chain.p7b.
b) Copy the dnac-chain.p7b certificate to the Cisco DNA Center cluster through SSH.
c) Enter the following command:
openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs

Step 9 If the certificate issuer provides the certificate and its issuer CA chain in loose files, do the following:
a) Gather the PEM (base64) files or use openssl to convert DER to PEM.
b) Concatenate the certificate and its issuer CA, starting with the certificate, followed by the subordinate
CA, all the way to the root CA, and output it to dnac-chain.pem file.
cat certificate.pem subCA.pem rootCA.pem > dnac-chain.pem

Step 10 Import the csr.key and dnac-chain.pem files to Cisco DNA Center:
a) Click the menu icon ( ) and choose System > Settings > System Certificates.
b) Click Replace Certificate.
c) In the Certificate area, click the PEM radio button and perform the following tasks.
1. In the Certificate area, import the dnac-chain.pem file by dragging and dropping this file into the
Drag n' Drop a File Here field.

Cisco DNA Center Security Best Practices Guide

23
 Update the Cisco DNA Center Server Certificate

2. In the Private Key area, import the private key (csr.key) by dragging and dropping this file into the
Drag n' Drop a File Here field.
3. Choose No from the Encrypted drop-down list for the private key.

d) Click Upload/Activate.

Update the Cisco DNA Center Server Certificate

Cisco DNA Center supports the import and storage of an X.509 certificate and private key into Cisco DNA
Center. After import, the certificate and private key can be used to create a secure and trusted environment
between Cisco DNA Center, northbound API applications, and network devices.
You can import a certificate and a private key using the Certificates window in the GUI.

Before you begin

You must obtain a valid X.509 certificate that is issued by your internal CA and the certificate must correspond
to a private key in your possession.

Cisco DNA Center Security Best Practices Guide

24
 Update the Cisco DNA Center Server Certificate

Procedure

Step 1 Click the menu icon ( ) and choose System > Settings > Trust & Privacy > System Certificates.
Step 2 In the System tab, view the current certificate data.
When you first view this window, the current certificate data that is displayed is the Cisco DNA Center
self-signed certificate. The self-signed certificate's expiry is set for several years in the future.
Note The expiration date and time is displayed as a Greenwich Mean Time (GMT) value. A system
notification is displayed in the Cisco DNA Center GUI two months before the certificate expires.

The System tab displays the following fields:

• Current Certificate Name: Name of the current certificate.
• Issuer: Name of the entity that has signed and issued the certificate.
• Authority: Either self-signed or the name of the CA.
• Expires: Expiry date of the certificate.

Step 3 In the System Certificates window, click Replace Certificate.

In Cisco DNA Center 2.3.2 and later, you will see the Generate New CSR link if you are generating the CSR
for the first time. Otherwise, you will see the Download existing CSR link. You can download the existing
CSR and submit it to your provider to generate your certificate. If you don't want to use the existing CSR,
click Delete existing CSR and click Accept in the subsequent Confirmation window. You can now see the
Generate New CSR link.

Step 4 Click the Generate New CSR link.

Step 5 In the Certificate Signing Request Generator window, provide information in the required fields.
Step 6 Click Generate New CSR.
The generated new CSR is downloaded automatically.
The Certificate Signing window shows the CSR properties and allows you to do the following:
• Copy the CSR properties in plain text.
• Copy Base64 and paste to MS CA.
• Download Base64.

Step 7 (Optional) Check the Use system certificate for Disaster Recovery as well check box if you want to use the
same certificate for disaster recovery.
Step 8 Choose the file format type for the certificate that you are importing into Cisco DNA Center:
• PEM: Privacy-enhanced mail file format.
• PKCS: Public-Key Cryptography Standard file format.
Note PKCS file type is disabled if you choose the Generate New CSR option to request a
certificate.

Cisco DNA Center Security Best Practices Guide

25
Update the Cisco DNA Center Server Certificate

Step 9 Confirm that the certificate issuer provides the certificate full chain (server and CA) in p7b. When in doubt,
do the following to examine and assemble the chain:
a) Download the p7b bundle in DER format and save it as dnac-chain.p7b.
b) Copy the dnac-chain.p7b certificate to the Cisco DNA Center cluster through SSH.
c) Enter the following command:
openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs

d) Confirm that all certificates are accounted for in the output, with the issuer and Cisco DNA Center
certificates included. Continue to upload as PEM. If the certificates are in loose files, complete the next
step to download and assemble the individual files.
Step 10 If the certificate issuer provides the certificate and its issuer CA chain in loose files, do the following:
a) Gather the PEM (base64) files or use openssl to convert DER to PEM.
b) Concatenate the certificate and its issuer CA, starting with the certificate, followed by subordinate CA,
all the way to the root CA, and output it to dnac-chain.pem file.
cat certificate.pem subCA.pem rootCA.pem > dnac-chain.pem
c) Continue to upload as PEM.
Step 11 For a PEM file, perform the following tasks:
• Import the PEM file by dragging and dropping the file into the Drag and Drop area.
Note A PEM file must have a valid PEM format extension (.pem). The maximum file size for the
certificate is 10 MB.
After the upload succeeds, the system certificate is validated.

• Import the Private Key by dragging and dropping the file into the Drag and Drop area. (If you used the
Generate New CSR link, there is no private key to import; the private key is stored within Cisco DNA
Center.)
Note Private keys must have a valid private key format extension (.key). The maximum file size
for the private key is 10 MB.
After the upload succeeds, the private key is validated.

• Choose the encryption option from the Encrypted area for the private key.
• If you choose encryption, enter the password for the private key in the Password field.

Step 12 For a PKCS file, perform the following tasks:

• Import the PKCS file by dragging and dropping the file into the Drag and Drop area.
Note A PKCS file must have a valid PKCS format extension (.pfx or .p12). The maximum file
size for the certificate is 10 MB.
After the upload succeeds, the system certificate is validated.

• Enter the passphrase for the certificate in the Password field.

Note For PKCS, the imported certificate also requires a passphrase.

• For the Private Key field, choose the encryption option for the private key.

Cisco DNA Center Security Best Practices Guide

26
 PKI Certificate Authority

• For the Private Key field, if encryption is chosen, enter the password for the private key in the Password
field.

Step 13 Click Save.

Note After the Cisco DNA Center server’s SSL certificate is replaced, you are automatically logged
out, and must log in again.

Step 14 Return to the Certificates window to view the updated certificate data.
The information displayed in the System tab should have changed to reflect the new certificate name, issuer,
and the certificate authority.

PKI Certificate Authority

Clients looking to establish an HTTPS connection with Cisco DNA Center use its server CA in order to
confirm its identity and complete authentication. In addition to the server CA, Cisco DNA Center also makes
use of a public key infrastructure (PKI) CA (configured as either a root or subordinate CA) to establish client
connections. When used, the PKI CA gives you the option of using a different realm trust (signing CA) than
the one associated with Cisco DNA Center’s server CA.

Change the Role of the PKI Certificate from Root to Subordinate

The device PKI CA, a private CA that is provided by Cisco DNA Center, manages the certificates and keys
used to establish and secure server-client connections. To change the role of the device PKI CA from a root
CA to a subordinate CA, complete the following procedure.
You can change the role of the private (internal) Cisco DNA Center CA from a root CA to a subordinate CA
using the PKI Certificate Management window in the GUI. When making this change, do the following:
• If you intend to have Cisco DNA Center act as a subordinate CA, it is assumed that you already have a
root CA, for example, Microsoft CA, and you are willing to accept Cisco DNA Center as a subordinate
CA.
• As long as the subordinate CA is not fully configured, Cisco DNA Center continues to operate as an
internal root CA.
• You must generate a Certificate Signing Request file for Cisco DNA Center (as described in the following
procedure) and have it manually signed by your external root CA.

Note Cisco DNA Center continues to run as an internal root CA during this time period.

• After the Certificate Signing Request is signed by the external root CA, this signed file must be imported
back into Cisco DNA Center using the GUI (as described in the following procedure).
After the import, Cisco DNA Center initializes itself as the subordinate CA and provides all the existing
functionalities of a subordinate CA.
• If device controllability is enabled (which is the default) before the switchover from the internal root CA
to the subordinate CA, the new device certificate is updated automatically.
• The subordinate CA certificate lifetime, as displayed in the GUI, is just read from the certificate; it is
not computed against the system time. Therefore, if you install a certificate with a lifespan of 1 year

Cisco DNA Center Security Best Practices Guide

27
Change the Role of the PKI Certificate from Root to Subordinate

today and look at it in the GUI the same time next year, the GUI will still show that the certificate has a
1-year lifetime.
• The subordinate CA certificate must be in PEM or DER format only.
• The subordinate CA does not interact with the higher CAs; therefore, it is not aware of revocation, if
any, of the certificates at a higher level. Because of this, any information about certificate revocation is
also not communicated from the subordinate CA to the network devices. Because the subordinate CA
does not have this information, all the network devices use only the subordinate CA as the Cisco Discovery
Protocol (CDP) source.

Before you begin

You must have a copy of the root CA certificate.

Procedure

Step 1 Click the menu icon ( ) and choose System > Settings > PKI Certificate.
Step 2 Click the CA Management tab.
Step 3 Review the existing root or subordinate CA certificate configuration information from the GUI:
• Root CA Certificate: Displays the current root CA certificate (either external or internal).
• Root CA Certificate Lifetime: Displays the current lifetime value of the current root CA certificate, in
days.
• Current CA Mode: Displays the current CA mode (root CA or subordinate CA).
• Sub CA Mode: Enables a change from a root CA to a subordinate CA.

Step 4 In the CA Management tab, check the Sub CA Mode check box.
Step 5 Click Next.
Step 6 Review the warnings that are displayed:
For example,
• Changing from root CA to subordinate CA is a process that cannot be reversed.
• You must ensure that no network devices have been enrolled or issued a certificate in root CA mode.
Network devices that have been accidentally enrolled in root CA mode must be revoked before changing
from root CA to subordinate CA.
• Network devices must come online only after the subordinate CA configuration process finishes.

Step 7 Click OK to proceed.

The PKI Certificate Management window displays the Import External Root CA Certificate field.

Step 8 Drag and drop your root CA certificate into the Import External Root CA Certificate field and click Upload.
The root CA certificate is uploaded into Cisco DNA Center and used to generate a Certificate Signing Request.
After the upload process finishes, a Certificate Uploaded Successfully message is displayed.

Cisco DNA Center Security Best Practices Guide

28
 Provision a Rollover Subordinate CA Certificate

Step 9 Click Next.

Cisco DNA Center generates and displays the Certificate Signing Request.

Step 10 View the Cisco DNA Center-generated Certificate Signing Request in the GUI and perform one of the following
actions:
• Click the Download link to download a local copy of the Certificate Signing Request file.
You can then attach this Certificate Signing Request file to an email to send to your root CA.
• Click the Copy to the Clipboard link to copy the Certificate Signing Request file's content.
You can then paste this Certificate Signing Request content to an email or include it as an attachment to
an email and send it to your root CA.

Step 11 Send the Certificate Signing Request file to your root CA.
Your root CA will then return a subordinate CA file, which you must import back into Cisco DNA Center.

Step 12 After receiving the subordinate CA file from your root CA, access the Cisco DNA Center GUI again and
return to the PKI Certificate Management window.
Step 13 Click the CA Management tab.
Step 14 Click Yes for the Change CA mode button.
After clicking Yes, the GUI view with the Certificate Signing Request is displayed.

Step 15 Click Next.

The PKI Certificate Management window displays the Import Sub CA Certificate field.

Step 16 Drag and drop your subordinate CA certificate into the Import Sub CA Certificate field and click Apply.
The subordinate CA certificate is uploaded into Cisco DNA Center.
After the upload finishes, the GUI displays the subordinate CA mode under the CA Management tab.

Step 17 Review the fields under the CA Management tab:

• Sub CA Certificate: Displays the current subordinate CA certificate.
• External Root CA Certificate: Displays the root CA certificate.
• Sub CA Certificate Lifetime: Displays the lifetime value of the subordinate CA certificate, in days.
• Current CA Mode: Displays SubCA mode.

Provision a Rollover Subordinate CA Certificate

Cisco DNA Center lets you apply a subordinate certificate as a rollover subordinate CA when 70 percent of
the existing subordinate CA lifetime has elapsed.

Cisco DNA Center Security Best Practices Guide

29
Provision a Rollover Subordinate CA Certificate

Before you begin

• To initiate subordinate CA rollover provisioning, you must have changed the PKI certificate role to
subordinate CA mode. See Change the Role of the PKI Certificate from Root to Subordinate, on page
27.
• 70 percent or more of the lifetime of the current subordinate CA certificate must have expired. When
this occurs, Cisco DNA Center displays a Renew button under the CA Management tab.
• You must have a signed copy of the rollover subordinate CA PKI certificate.

Procedure

Step 1 Click the menu icon ( ) and choose System > Settings > Trust & Privacy > PKI Certificate.
Step 2 Click the CA Management tab.
Step 3 Review the CA certificate configuration information:
• Subordinate CA Certificate: Displays the current subordinate CA certificate.
• External Root CA Certificate: Displays the root CA certificate.
• Subordinate CA Certificate Lifetime: Displays the lifetime value of the current subordinate CA
certificate, in days.
• Current CA Mode: Displays SubCA mode.

Step 4 Click Renew.

Cisco DNA Center uses the existing subordinate CA to generate and display the rollover subordinate CA
Certificate Signing Request.

Step 5 View the generated Certificate Signing Request in the GUI and perform one of the following actions:
• Click the Download link to download a local copy of the Certificate Signing Request file.
You can then attach this Certificate Signing Request file to an email to send it to your root CA.
• Click the Copy to the Clipboard link to copy the content of the Certificate Signing Request file.
You can then paste this Certificate Signing Request content to an email or include it as an attachment to
an email and send it to your root CA.

Step 6 Send the Certificate Signing Request file to your root CA.
Your root CA will then return a rollover subordinate CA file that you must import back into Cisco DNA
Center.
The Certificate Signing Request for the subordinate CA rollover must be signed by the same root CA who
signed the subordinate CA you imported when you switched from RootCA mode to SubCA mode.

Step 7 After receiving the rollover subordinate CA file from your root CA, return to the PKI Certificate Management
window.
Step 8 Click the CA Management tab.
Step 9 Click Next in the GUI in which the Certificate Signing Request is displayed.

Cisco DNA Center Security Best Practices Guide

30
 Configure the Device Certificate Lifetime

The PKI Certificate Management window displays the Import Sub CA Certificate field.

Step 10 Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click
Apply.
The rollover subordinate CA certificate is uploaded into Cisco DNA Center.
After the upload finishes, the GUI changes to disable the Renew button under the CA Management tab.

Configure the Device Certificate Lifetime

Cisco DNA Center lets you change the certificate lifetime of network devices that are managed and monitored
by the private (internal) Cisco DNA Center CA. The Cisco DNA Center default value for the certificate
lifetime is 365 days. After the certificate lifetime value is changed using the Cisco DNA Center GUI, network
devices that subsequently request a certificate from Cisco DNA Center are assigned this lifetime value.

Note The device certificate lifetime value cannot exceed the CA certificate lifetime value. Additionally, if the
remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device gets
a certificate lifetime value that is equal to the remaining CA certificate lifetime.

Procedure

Step 1 Click the menu icon ( ) and choose System > Settings > Trust & Privacy > Device Certificate.
Step 2 Review the device certificate and the current device certificate lifetime.
Step 3 In the Device Certificate window, click Modify.
Step 4 In the Device Certificate Lifetime dialog box, enter a new value, in days.
Step 5 Click Save.

Cisco DNA Center Trustpool Support

Cisco DNA Center and Cisco IOS devices support a special PKI certificate store known as trustpool. The
trustpool holds X.509 certificates that identify trusted CAs. Cisco DNA Center and the devices in the network
use the trustpool bundle to manage trust relationships with each other and with these CAs. Cisco DNA Center
manages this PKI certificate store, and an administrator (ROLE_ADMIN) has the ability to update it through
the Cisco DNA Center GUI when the certificates in the pool are due to expire, are reissued, or must be changed
for other reasons.

Note Cisco DNA Center also uses the trustpool functionality to determine whether any certificate file that is uploaded
through its GUI is a valid trustpool CA-signed certificate.

Cisco DNA Center contains a preinstalled, default Cisco-signed trustpool bundle named ios.p7b. This trustpool
bundle is trusted by supported Cisco network devices natively, because it is signed with a Cisco digital signing
certificate. This trustpool bundle is critical for the Cisco network devices to establish trust with services and

Cisco DNA Center Security Best Practices Guide

31
 Check the Certificate on the PnP Server

applications that are genuine. This Cisco PKI trustpool bundle file is available at https://www.cisco.com/
security/pki/.
To access the Cisco DNA Center PnP functionality, the supported Cisco devices that are being managed and
monitored by Cisco DNA Center should import the Cisco PKI trustpool bundle file. When the supported Cisco
devices boot for the first time, they contact Cisco DNA Center to import this file.
The Cisco DNA Center trustpool management feature operates in the following manner:
1. You boot the Cisco devices that support the PnP functionality within your network.
Note that not all Cisco devices support PnP. See the Cisco DNA Center Compatibility Matrix for a list of
supported Cisco devices.
2. As part of the initial PnP flow, the supported Cisco devices download a trustpool bundle directly from
Cisco DNA Center using HTTP.
3. The Cisco devices are now ready to interact with Cisco DNA Center to obtain further device configuration
and provisioning according to the PnP traffic flows.
Note that if an HTTP proxy gateway exists between Cisco DNA Center and these Cisco devices, you must
import the proxy gateway certificate into Cisco DNA Center.

Note At times, you might need to update the trustpool bundle to a newer version due to some certificates in the
trustpool expiring, being reissued, or for other reasons. Whenever the trustpool bundle needs to be updated,
update it by using the Cisco DNA Center GUI. Cisco DNA Center can access the Cisco cloud (where the
Cisco-approved trustpool bundles are located) and download the latest trustpool bundle. After download,
Cisco DNA Center then overwrites the current or older trustpool bundle file. As a best practice, update the
trustpool bundle before importing a new certificate from a CA.

Check the Certificate on the PnP Server

This section explains how to check the certificate on the PnP agent of Cisco IOS and Cisco IOS XE devices
during a zero-touch deployment.
The certificate provided by the PnP server must contain a valid Subject Alternative Name (SAN) field to
verify the server identity.
The check is applied to the server's DNS name or the IP address that is used in the PnP profile settings:
pnp profile SOME_NAME
transport https ipv4 IP_ADDRESS port 443

pnp profile SOME_NAME

transport https host DNS_NAME port 443

The enforcement is applied by comparing the SAN field of the certificate to the value used in the PnP profile
that is configured on the device.
The following table summarizes the enforcement applied:

PnP Profile Configuration Certificate Enforcement

DHCP Option-43 or Option-17 discovery of the PnP The SAN field of the server certificate must contain the explicit IPv4 or IPv6
server using an explicit IPv4 or IPv6 address address used in Option-43 or Option-17.

Cisco DNA Center Security Best Practices Guide

32
 Check the Certificate on the PnP Server

PnP Profile Configuration Certificate Enforcement

DHCP Option-43 or Option-17 discovery of the PnP The SAN field of the server certificate must contain the specific DNS name.
server using a DNS name

DNS discovery of the PnP server The SAN field of the server certificate must contain pnpserver.<local-domain>.

Cisco.com discovery of the PnP Server One of the following conditions is applicable:
• The SAN field of the server certificate must contain the explicit IP address
if an IP address is used in the cloud redirection profile configuration.
• The SAN field of the server certificate must contain the specific DNS
name if a DNS name is used in the cloud redirection profile configuration.

Day-2 (manual configuration) PnP profile creation The SAN field of the server certificate must contain either the IP address or
the DNS name that is used in the PnP profile configuration.

We recommend that you use a discovery method based on the DNS name because the functionality is not
affected by changes to the IP address.

Procedure

Step 1 Use the PnP server logs to diagnose the problem. Check whether the HTTPS connection is established with
the device after the trustpoint is installed on the device.
The PnP server logs show that the device moves from the CERTIFICATE_INSTALL_REQUESTED stage
to the FILESYSTEM_INFO_REQUESTED stage, but no further progress is made. For example:
2018-11-28 12:05:40,711 | INFO | qtp226594800-88458 | |
com.cisco.enc.pnp.state.ZtdState |
Device state has changed from CERTIFICATE_INSTALL_REQUESTED to FILESYSTEM_INFO_REQUESTED |

sn=SOME_SN, address=SOME_IP

Thereafter, PnP provisioning fails with an error that is similar to the following:
2018-11-28 12:25:56,289 | ERROR | eHealthCheckFirstBucket-2 | |
c.c.e.z.impl.ZtdHistoryServiceImpl |
Failed health check since device is stuck in non-terminal state FILESYSTEM_INFO_REQUESTED
for more than threshold time:
0 hours, 16 minutes, 0 seconds | sn=SOME_SN

Step 2 For device-side debugging, use the following recommended outputs to determine whether the issue is related
to the server ID check:
debug crypto pki val
debug crypto pki api
debug crypto pki call
debug crypto pki tr
debug ssl openssl error
debug ssl openssl msg
debug ssl openssl state
debug ssl openssl ext

show crypto pki certificate

show running
show pnp tech

Cisco DNA Center Security Best Practices Guide

33
 Certificates for Systems that Peer with Cisco DNA Center

Step 3 Enable debugging before you initiate a PnP discovery.

Step 4 Check the server certificate's SAN field by entering the following command from the CLI of a Linux workstation
or a Mac terminal. Be sure to replace SERVER_IP with your Cisco DNA Center cluster address.
echo | openssl s_client -showcerts -servername SERVER_IP -connect
SERVER_IP:443 2>/dev/null | openssl x509 -inform pem -noout -text

Step 5 In the output, pay close attention to the X509v3 extensions, especially the X509v3 Subject Alternative Name,
which is the field that must be matched against the PnP server details.
The output is similar to the following:
[username@toolkit ~]$ echo | openssl s_client -showcerts -servername SERVER_IP -connect
SERVER_IP:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:92:63:49:41:36:99:43:00:57:43:86:06:10:44:57:32:48:65:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=e328c7fc-3495-4bc1-81a4-66a31d0507f6, C=US, ST=California, L=SanJose,
OU=DNAC, O=Cisco
Validity
Not Before: Aug 24 05:55:29 2017 GMT
Not After : Aug 23 05:55:29 2022 GMT
Subject: CN=SERVER_IP, ST=California, C=US, O=Cisco, OU=DNAC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a2:21:ba:52:b4:9e:50:02:c0:68:2e:b3:43:0a:
<snip>
9e:1b:ef:19:96:f9:2b:e3:6a:58:05:b3:c5:b3:d3:
24:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
IP Address:SERVER_IP

Step 6 Depending on the type of certificate you are using, do one of the following:
• If you are using a signed certificate, generate a new Certificate Signing Request that is signed by the CA,
including the appropriate SAN field. See Update the Cisco DNA Center Server Certificate, on page 24.
• If you are using a self-signed certificate (not recommended), see Generate a Certificate Request Using
OpenSSL, on page 18.

Certificates for Systems that Peer with Cisco DNA Center

When setting up a certificate for an external system that Cisco DNA Center communicates with (such as Cisco
ISE, IPAM, vManage, or Stealthwatch Security Analytics), ensure that the HTTP-type CRL distribution point
is supported and is placed before LDAP (if multiple distribution points with LDAP are present) for the system's
certificates.

Cisco DNA Center Security Best Practices Guide

34
 Disable SFTP Compatibility Mode

If you don't place the CRL distribution point before LDAP, authentication with the external system might fail
for LDAP-type CRL entries.

Disable SFTP Compatibility Mode

SSH File Transfer Protocol (SFTP) Compatibility mode allows legacy network devices to connect to Cisco
DNA Center using older cipher suites that are not secure. By default, SFTP Compatibility mode is enabled
for new Cisco DNA Center deployments.
• If your network does not have legacy devices, we recommend that you disable SFTP Compatibility mode
during initial cluster configuration.
• If your network does have legacy devices, we recommend that you enable SFTP Compatibility mode for
a maximum of three days, which should be enough time to complete provisioning tasks.

Complete the procedure that's specific to your Cisco DNA Center version.

Newer Cisco DNA Center Versions

If you are running Cisco DNA Center 2.1.2.0 or later, complete the following procedure to enable or disable
SFTP Compatibility mode:

Procedure

Step 1 Click the menu icon ( ) and choose System > Settings > Device Settings > Image Distribution Servers.
Step 2 In the Host column, locate the relevant server and click the corresponding i icon.
A message appears, indicating whether SFTP Compatibility mode is currently enabled or disabled on that
server.

Step 3 If necessary, click the link provided in the message to enable or disable this mode.

Older Cisco DNA Center Versions

If you are running Cisco DNA Center 1.3.3.0 or earlier, complete the following procedure to enable or disable
SFTP Compatibility mode:

Procedure

Step 1 Log in to Cisco DNA Center.

Step 2 From the home page, choose > System Settings > Settings > SFTP.
Step 3 Check the Compatibility mode check box to enable this mode. (Uncheck the check box to disable it.)
Step 4 Click Apply.

Cisco DNA Center Security Best Practices Guide

35
 Browser-Based Appliance Configuration Wizard

Browser-Based Appliance Configuration Wizard

In addition to the appliance configuration wizard that has been available since its first release, Cisco DNA
Center also provides a browser-based appliance configuration wizard. See the following topics for a description
of how to disable or re-enable this wizard.

Disable the Wizard

A self-signed certificate is provided with your Cisco DNA Center appliance. If your production environment
doesn't allow the use of self-signed certificates, we recommend that you shut down the service associated
with the browser-based appliance configuration wizard. Complete the following procedure right after using
the wizard to configure your appliance.

Note Only users with root privileges can complete this procedure.

Procedure

Step 1 In an SSH client, log in to your Cisco DNA Center appliance using the IP address that you entered during
configuration.
When prompted, enter your username and password.

Step 2 (Optional) To view usage information for the commands that you should run in order to disable or re-enable
the browser-based appliance configuration wizard, run the maglev-config webinstall command.
The following output is displayed:
Usage: maglev-config webinstall [OPTIONS] COMMAND [ARGS]...
Enable/Disable Maglev web install feature
Options:
--help Show this message and exit.
Commands:
disable Stops and disables Maglev webinstall service...
enable Enables Maglev webinstall feature service

Step 3 Disable the browser-based configuration wizard by running the maglev-config webinstall disable command.
After the operation is completed, you will see the following message:
Maglev Web install feature disabled

Re-enable the Wizard

If the browser-based configuration wizard is currently disabled on an appliance, re-enable it before you
complete the following tasks:
• Add nodes to a three-node Cisco DNA Center cluster on which you plan to enable high availability (HA).
• Remove a node from a three-node cluster that has HA enabled, and replace it with a new node. In this
case, ensure that the browser-based configuration wizard is enabled on at least one of the other two cluster
nodes.

Cisco DNA Center Security Best Practices Guide

36
 Upgrade Legacy Devices

Note Only users with root privileges can complete this procedure.

Procedure

Step 1 In an SSH client, log in to your Cisco DNA Center appliance using the IP address that you entered during
configuration.
When prompted, enter your username and password.

Step 2 Re-enable the wizard by running the maglev-config webinstall enable command.
After the operation is completed, you will see the following message:
Maglev Web install feature enabled

Upgrade Legacy Devices

If you have legacy network devices, you must upgrade them to the latest device software:
• To view the software versions that Cisco SD-Access supports, see the Cisco SD-Access Compatibility
Matrix.
• To view general device support information for Cisco DNA Center, see the Cisco DNA Center
Compatibility Matrix.

Some devices, such as Cisco Aironet 1800 Series Access Points Version 8.5, use TLSV1, which is not secure.
You must upgrade the device software version to 8.8 to upgrade the TLS version.

Secure Network Data

Cisco DNA Center lets you use the Data Anonymization feature to hide the identity of wired and wireless
end clients in the Cisco DNA Assurance dashboard. For details, see "View or Update Collector Configuration
Information" in the Cisco DNA Assurance User Guide.

Syslog Management
Cisco DNA Center protects syslogs for user-sensitive data such as username, password, IP address, and so
on.

View Audit Logs

Audit logs capture information about the various applications running on Cisco DNA Center. Audit logs also
capture information about device public key infrastructure (PKI) notifications. The information in these audit
logs can be used to help in troubleshooting issues, if any, involving the applications or the device PKI
certificates.
Audit logs also record system events that occurred, when and where they occurred, and which users initiated
them. With audit logging, configuration changes to the system get logged in separate log files for auditing.

Cisco DNA Center Security Best Practices Guide

37
View Audit Logs

Procedure

Step 1 Click the menu icon ( ) and choose Activities > Audit Logs.
The Audit Logs window opens, where you can view logs about the current policies in your network. These
policies are applied to network devices by the applications installed on Cisco DNA Center.

Step 2 Click the timeline slider to specify the time range of data you want displayed on the window:
a. In the Time Range area, choose a time range—Last 2 Weeks, Last 7 Days, Last 24 Hours, or Last 3
Hours.
b. To specify a custom range, click By Date and specify the start and end date and time.
c. Click Apply.

Step 3 Click the arrow next to an audit log to view the corresponding child audit logs.
Each audit log can be a parent to several child audit logs. By clicking the arrow, you can view a series of
additional child audit logs.
Note An audit log captures data about a task performed by Cisco DNA Center. Child audit logs are
subtasks to a task performed by Cisco DNA Center.

Step 4 (Optional) From the list of audit logs in the left pane, click a specific audit log message. In the right pane,
click Event ID > Copy Event ID to Clipboard. With the copied ID, you can use the API to retrieve the audit
log message based on the event ID.
The audit log displays the Description, User, Interface, and Destination of each policy in the right pane.
Note The audit log displays northbound operation details such as POST, DELETE, and PUT with
payload information, and southbound operation details such as the configuration pushed to a
device. For detailed information about the APIs on Cisco DevNet, see Cisco DNA Center Platform
Intent APIs.

Step 5 (Optional) Click Filter to filter the log by User ID, Log ID, or Description.
Step 6 Click Subscribe to subscribe to the audit log events.
A list of syslog servers is displayed.

Step 7 Check the syslog server check box that you want to subscribe to and click Save.
Note Uncheck the syslog server check box to unsubscribe from the audit log events and click Save.

Step 8 In the right pane, use the Search field to search for specific text in the log message.
Step 9 Click the menu icon ( ) and choose Activities > Scheduled Tasks to view the upcoming, in-progress,
completed, and failed administrative tasks, such as operating system updates or device replacements.
Step 10 Click the menu icon ( ) and choose Activities > Work Items tab to view the in-progress, completed, and
failed work items.

Cisco DNA Center Security Best Practices Guide

38
 Export Audit Logs to Syslog Servers

Export Audit Logs to Syslog Servers

Security Recommendation: We strongly encourage you to export audit logs from Cisco DNA Center to a
remote syslog server in your network, for more secure and easier log monitoring.
You can export the audit logs from Cisco DNA Center to multiple syslog servers by subscribing to them.

Before you begin

You must configure the syslog servers in the System > Settings > External Services > Destinations > Syslog
area.

Procedure

Step 1 Click the menu icon ( ) and choose Activities > Audit Logs.
Step 2 Click Subscribe.
Step 3 Select the syslog servers that you want to subscribe to and click Save.
Step 4 (Optional) To unsubscribe, deselect the syslog servers and click Save.

View Audit Logs in Syslog Server Using APIs

With the Cisco DNA Center platform, you can use APIs to view audit logs in syslog servers. Using the Create
Syslog Event Subscription API from the Developer Toolkit, you must create a syslog subscription for audit
log events.
Whenever an audit log event occurs, the syslog server lists the audit log events.

View Security Advisories Report

Cisco DNA Center provides the functionality to create a Security Advisory report that scans your Cisco
network devices for relevant security advisories, and contains information about publicly reported
vulnerabilities.
Security Recommendation: We strongly encourage you to periodically review and run this report to understand
the impact of published Cisco security advisories that may affect your network, and take appropriate actions,
if necessary.
The Security Advisories report displays device data and related advisory data such as—Device Name, IP
Address, Device Type, Serial Number, Image Version, Site, Advisory ID, CVSS Score, and Impact.

Note • Each row in the report is a unique match of device and advisory because there can be a one-to-many
relationship between devices and advisories.
• Devices that were not scanned are included in the report and labeled as not scanned.
• Devices that were scanned and have no advisories are labeled as no advisories found.

For detailed information and instructions on how to run the security advisories report, see the section "Run a
Security Advisories Report" in the Cisco DNA Center Platform User Guide.

Cisco DNA Center Security Best Practices Guide

39
The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on
age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that
is hardcoded in the user interfaces of the product software, language used based on standards documentation, or language that is used by a referenced third-party product.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2018–2022 Cisco Systems, Inc. All rights reserved.