topic Cisco DNA Sensor in Cisco Catalyst Center

Cisco DNA Sensor

michael18 — Tue, 17 Oct 2023 12:32:02 GMT

I have a DNA sensor to add to DNAC. Its the first one to be added. I can see it in PnP but it doesn't join correctly. onboarding stops at 10%

logs from sensor ssh:

CertificateError: hostname 'pnpserver.domain' doesn't match either of 'localhost', 'kong', 'kong.maglev-system', 'kong.maglev-system.svc', 'kong.maglev-system.svc.cluster', 'kong.maglev-system.svc.cluster.local',

DNA device status:

NCOB02066: Device disconnected probably due to incorrect certificate or TLS version.

Has anyone come across this and found a fix?

Re: Cisco DNA Sensor

balaji.bandi — Tue, 17 Oct 2023 13:21:18 GMT

DNA sensor - what DNAC Sensor ? you mean Sensor AP ?

if Wifi sensor AP - then what is the version of DNAC ? it required 2.3.X version to work.

Re: Cisco DNA Sensor

michael18 — Tue, 17 Oct 2023 14:26:54 GMT

yeh, AP1801. a sensor used with DNAC. current version 2.3.4

Re: Cisco DNA Sensor

Preston Chilcote — Tue, 17 Oct 2023 15:15:05 GMT

It sounds like you replaced the self-signed certificate, but didn't include pnpserver.domain in the Certificat Signing Request (CSR). Be sure to follow this doc to generate a new CSR and certificate that includes that url:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html

Re: Cisco DNA Sensor

andrew.butterworth — Thu, 22 Feb 2024 14:59:53 GMT

In our lab I have recently replaced the certificate on DNAC with one signed by the internal CA. I used the GUI to generate the CSR, hit the issue with the CN only being accepted if it was the IPv4 address, but I put the various SAN entries in so it all seems to work. This then had some knock-on effects that has taken me some time to resolve - ISE integration broke and I had to "sudo maglev-config refresh_certs" on DNAC to get it to accept the certificate from ISE - not sure why this worked, but it did. We also have a AP1800S-WiFi-Sensor and this hasn't worked since I replaced the DNAC cert.

On the sensor I am getting the error "ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] unknown error: unable to get local issuer certificate (_ssl.c:1123)" and I am struggling to solve it. The SAN on the DNAC cert contains all the IPv4 addresses as well as the DNA names, plus a 'pnpserver.<local DNS suffix>'.

I'm not sure what else to try.

EDIT: I replaced the DNAC system certificate again. I used the GUI to create the CSR, added the various SAN DNS names including 'pnpserver.<domain suffix>', got it signed by the internal CA. I then combined the resulting PEM file with the CA root PEM file into a single file and fed it back to DNAC. DNAC kicked me out due to the new cert. I logged back in, rebooted the sensor (PoE off/on) and its now gone through the PNP stuff and onboarded.

Its a proper house of cards.

Re: Cisco DNA Sensor

Tomas de Leon — Fri, 23 Feb 2024 14:32:07 GMT

Michael18,

Just to let you know, we do not support the Access Points (AP1801 or other APs) as a sensor device in Catalyst Center Appliances in most recent releases. We only support the
Cisco Aironet 1800s Active Sensor and each sensor runs sensor specific software which matches the Catalyst Center Release Train that it wants to join.

Cisco Aironet 1800s Active Sensor
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/1800/quick/guide/ap1800sgetstart.html

Cisco Aironet Active Sensor Deployment Guide
https://www.cisco.com/c/dam/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/deploy-guide/Cisco_1800S_Sensor_Deployment_Guide_133.pdf

Aironet 1800s Network Sensor
https://software.cisco.com/download/home/286318948/type/286288051/release/2.3.7.0