cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1270
Views
0
Helpful
1
Replies
dosic
Beginner

Prime + APIC-EM + PnP

Hello community,

 

I'm working with Prime + APIC-EM + PnP.

Devices, in my case routers, get the configuration from Cisco PI template.

At the same time I'm trying to push them pki based dmvpn + ipsec as part of the configuration.

The question is where can I modify the crypto pki trustpoint sdn-network-infra-iwan parameters such as fqdn and source interface?

Or should I point them in the template configuration that is pushed to the new devices?

 

Thanks

1 REPLY 1
rune.jon
Beginner

Using APIC-EM PKI service, there is now way to change that. Either use own internal PKI service using your own trustpoint configuration from Prime. BTW PKI service on APIC-EM  for PnP clients are pretty much useless. I fact I will says it is not supported. It is only supported on IWAN application service.  (That includes 1.6) The documentation is horrible. You have no way revoking certificates, no easy way on the GUI to change certificates on the clients when the certs expire.  Cisco even recommend to have more than 2 years expire date because of that. And this is in my mind total brain damage. It is more secure to use preshared keys. I think you probably better off using AAA with ISE with shared keyes. You get unique password per node and a centralised service.  You probably could do more PKI services using API or  with open SSL. But going down that line:  The documentation is so poor that the hair you pull out will not grown back again if you want it to work. Cisco have very poor PKI services for Cisco nodes. ISE (2.3) does not support it. IOS PKI is quite old, but only works with SCEP for provisioning and CRL with all their weaknesses. . Tried using ECDSA based certificates? IOS-XE support it, but does not work, to many bugs. (Tried it on 3850: 16.3.X). Tried provisioning certificates with EST? Cisco have no EST central service. Total stop in development. No activity in their github.  I recommend using other 3 party PKI services other than Cisco.