10-17-2023 05:32 AM
I have a DNA sensor to add to DNAC. Its the first one to be added. I can see it in PnP but it doesn't join correctly. onboarding stops at 10%
logs from sensor ssh:
CertificateError: hostname 'pnpserver.domain' doesn't match either of 'localhost', 'kong', 'kong.maglev-system', 'kong.maglev-system.svc', 'kong.maglev-system.svc.cluster', 'kong.maglev-system.svc.cluster.local',
DNA device status:
NCOB02066: Device disconnected probably due to incorrect certificate or TLS version.
Has anyone come across this and found a fix?
10-17-2023 06:21 AM
DNA sensor - what DNAC Sensor ? you mean Sensor AP ?
if Wifi sensor AP - then what is the version of DNAC ? it required 2.3.X version to work.
10-17-2023 07:26 AM
yeh, AP1801. a sensor used with DNAC. current version 2.3.4
02-23-2024 06:32 AM
Michael18,
Just to let you know, we do not support the Access Points (AP1801 or other APs) as a sensor device in Catalyst Center Appliances in most recent releases. We only support the
Cisco Aironet 1800s Active Sensor and each sensor runs sensor specific software which matches the Catalyst Center Release Train that it wants to join.
Cisco Aironet 1800s Active Sensor
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/1800/quick/guide/ap1800sgetstart.html
Cisco Aironet Active Sensor Deployment Guide
https://www.cisco.com/c/dam/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/deploy-guide/Cisco_1800S_Sensor_Deployment_Guide_133.pdf
Aironet 1800s Network Sensor
https://software.cisco.com/download/home/286318948/type/286288051/release/2.3.7.0
10-17-2023 08:15 AM
It sounds like you replaced the self-signed certificate, but didn't include pnpserver.domain in the Certificat Signing Request (CSR). Be sure to follow this doc to generate a new CSR and certificate that includes that url:
02-22-2024 04:01 AM - edited 02-22-2024 06:59 AM
In our lab I have recently replaced the certificate on DNAC with one signed by the internal CA. I used the GUI to generate the CSR, hit the issue with the CN only being accepted if it was the IPv4 address, but I put the various SAN entries in so it all seems to work. This then had some knock-on effects that has taken me some time to resolve - ISE integration broke and I had to "sudo maglev-config refresh_certs" on DNAC to get it to accept the certificate from ISE - not sure why this worked, but it did. We also have a AP1800S-WiFi-Sensor and this hasn't worked since I replaced the DNAC cert.
On the sensor I am getting the error "ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] unknown error: unable to get local issuer certificate (_ssl.c:1123)" and I am struggling to solve it. The SAN on the DNAC cert contains all the IPv4 addresses as well as the DNA names, plus a 'pnpserver.<local DNS suffix>'.
I'm not sure what else to try.
EDIT: I replaced the DNAC system certificate again. I used the GUI to create the CSR, added the various SAN DNS names including 'pnpserver.<domain suffix>', got it signed by the internal CA. I then combined the resulting PEM file with the CA root PEM file into a single file and fed it back to DNAC. DNAC kicked me out due to the new cert. I logged back in, rebooted the sensor (PoE off/on) and its now gone through the PNP stuff and onboarded.
Its a proper house of cards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide