07-29-2021 02:06 PM
We ran a scan to identify the vulnerabilities, and it was identified that the DNA uses port 80.
I couldn't find any documentation to disable this port.
When we access http://dnac.xpto.com (80) it automatically directs to https://dnac.xpto.com (443).
But through the "CMD" we were able to connect by running the command "telnet dnac.xpto.com 80".
Solved! Go to Solution.
07-29-2021 02:19 PM
There is at least one feature that relies on HTTP being available. When a new device is being onboarded with Plug and Play, it doesn't yet have the certificate of the Cisco DNA applaincet to do HTTPS. So, initially it connects over HTTP to get that cert, then switches over to HTTTPs.
07-29-2021 02:19 PM
There is at least one feature that relies on HTTP being available. When a new device is being onboarded with Plug and Play, it doesn't yet have the certificate of the Cisco DNA applaincet to do HTTPS. So, initially it connects over HTTP to get that cert, then switches over to HTTTPs.
07-30-2021 08:19 AM
Thank you very much for the information, as I was able to find in this guide exactly what you commented.
As I understand it, not only PnP, but also other features like SWIM, EEM and others.
"Software image download from Cisco DNA Center through HTTPS:443, SFTP:22, HTTP:80.
Certificate download from Cisco DNA Center through HTTPS:443, HTTP:80 (Cisco 9800 Wireless Controller, PnP), Sensor/Telemetry."
"Note: Block port 80 if you don't use Plug and Play (PnP), Software Image Management (SWIM), Embedded Event Management (EEM), device enrollment, and Cisco 9800 Wireless Controller."
Your information was extremely helpful in locating what you needed.
I haven't figured out how I could block port 80 if I don't use these functions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide