Cisco DNA Spaces: Connector Configuration Guide · Convention Indication...

Cisco DNA Spaces: Connector Configuration GuideFirst Published: 2019-08-01

Last Modified: 2020-03-25

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.comgo trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and anyother company. (1721R)

© 2020 Cisco Systems, Inc. All rights reserved.

www.cisco.com/go/trademarks

www.cisco.com/go/trademarks

C O N T E N T S

Preface vP R E F A C E

Audience v

Conventions v

Related Documentation vi

Communications, Services, and Additional Information vi

Overview 7P A R T I

Cisco DNA Spaces: Connector Overview 1C H A P T E R 1

Setup 3P A R T I I

Initial Setup 5C H A P T E R 2

Prerequisites for the Cisco DNA Spaces: Connector 5

Downloading and Deploying the Cisco DNA Spaces: Connector OVA 6

Creating a Connector and Retrieving a Token for it from Cisco DNA Spaces 10

Activating the Cisco DNA Spaces: Connector 15

Configuring a Proxy 19C H A P T E R 3

Troubleshooting Proxy Configuration 20

Connecting a Connector to Cisco wireless controller (controller) 23C H A P T E R 4

Connecting a Connector to Cisco Catalyst 9800 Series Wireless Controllers 29C H A P T E R 5

Location Heirarchy 35P A R T I I I

Cisco DNA Spaces: Connector Configuration Guideiii

Importing a Cisco wireless controller (controller) to the Cisco DNA Spaces Location Hierarchy 37C H A P T E R 6

Configure Privacy Settings 43P A R T I V

Configuring Privacy Settings: MAC and Username Salt 45C H A P T E R 7

Configure AAA 47P A R T V

Configure AAA 49C H A P T E R 8

Information About AAA 49

Configure AAA 49

Cisco DNA Spaces: Connector Configuration Guideiv

Contents

Preface

• Audience, on page v• Conventions, on page v• Related Documentation, on page vi• Communications, Services, and Additional Information, on page vi

AudienceThis document is for Cisco DNA Spaces network and IT administrators who deploy Cisco DNA Spaces tomonitor, manage, and optimize usage of assets in an organization.

ConventionsThis document uses the following conventions:

Table 1: Conventions

IndicationConvention

Commands and keywords and user-entered text appear in bold font.bold font

Document titles, new or emphasized terms, and arguments for which you supplyvalues are in italic font.

italic font

Elements in square brackets are optional.[ ]

Required alternative keywords are grouped in braces and separated by verticalbars.

{x | y | z }

Optional alternative keywords are grouped in brackets and separated by verticalbars.

[ x | y | z ]

A nonquoted set of characters. Do not use quotation marks around the string.Otherwise, the string will include the quotation marks.

string

Terminal sessions and information the system displays appear in courier font.courier font

Nonprinting characters such as passwords are in angle brackets.<>

Default responses to system prompts are in square brackets.[]

Cisco DNA Spaces: Connector Configuration Guidev

IndicationConvention

An exclamation point (!) or a pound sign (#) at the beginning of a line of codeindicates a comment line.

!, #

Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.Note

Means the following information will help you solve a problem.Tip

Means reader be careful. In this situation, you might perform an action that could result in equipment damageor loss of data.

Caution

Related DocumentationFor more information, see:

• https://support.dnaspaces.io/hc/en-us

Communications, Services, and Additional Information• To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

• To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

• To submit a service request, visit Cisco Support.

• To discover and browse secure, validated enterprise-class apps, products, solutions and services, visitCisco Marketplace.

• To obtain general networking, training, and certification titles, visit Cisco Press.

• To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking systemthat maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST providesyou with detailed defect information about your products and software.

Cisco DNA Spaces: Connector Configuration Guidevi

PrefaceRelated Documentation

https://support.dnaspaces.io/hc/en-us

https://www.cisco.com/offer/subscribe

https://www.cisco.com/go/services

https://www.cisco.com/c/en/us/support/index.html

https://www.cisco.com/go/marketplace/

https://www.cisco.com/go/marketplace/

http://www.ciscopress.com

http://www.cisco-warrantyfinder.com

https://www.cisco.com/c/en/us/support/web/tools/bst/bsthelp/index.html

P A R T IOverview

• Cisco DNA Spaces: Connector Overview, on page 1

C H A P T E R 1Cisco DNA Spaces: Connector Overview

The Cisco DNA Spaces: Connector enables Cisco DNA Spaces to communicate with multiple Cisco wirelesscontroller (controller) efficiently, by allowing each controller to transmit high-intensity client data withoutmissing any client information.

We recommend that you upgrade Cisco DNA Spaces: Connector to the latest version.Note

Cisco DNA Spaces: Connector Configuration Guide1


Overview

P A R T IISetup

• Initial Setup, on page 5• Configuring a Proxy , on page 19• Connecting a Connector to Cisco wireless controller (controller), on page 23• Connecting a Connector to Cisco Catalyst 9800 Series Wireless Controllers, on page 29

C H A P T E R 2Initial Setup

To get the Cisco DNA Spaces: Connector up and running, the steps are summarised below:

1. Install the Cisco DNA Spaces: Connector in your local deployment network. See Downloading andDeploying the Cisco DNA Spaces: Connector OVA , on page 6

2. On the Cisco DNA Spaces dashboard, create a Cisco DNA Spaces: Connector and generate a token forthe Connector. See Creating a Connector and Retrieving a Token for it from Cisco DNA Spaces , on page10

3. Configure this token on the deployed Cisco DNA Spaces: Connector. This establish a connection betweenthe Cisco DNA Spaces and the deployed Cisco DNA Spaces: Connector. The equivalent connector (basedon the token) on the Cisco DNASpaces now turns active. See Activating the Cisco DNASpaces: Connector, on page 15

4. Configure a Cisco wireless controller (controller) or Cisco Catalyst 9800 Series Wireless Controllers inthe Cisco DNA Spaces dashboard. See Connecting a Connector to Cisco wireless controller (controller),on page 23 or Connecting a Connector to Cisco Catalyst 9800 Series Wireless Controllers, on page 29.Test the connectivity between the Connector and the controller.

• Prerequisites for the Cisco DNA Spaces: Connector, on page 5• Downloading and Deploying the Cisco DNA Spaces: Connector OVA , on page 6• Creating a Connector and Retrieving a Token for it from Cisco DNA Spaces , on page 10• Activating the Cisco DNA Spaces: Connector , on page 15

Prerequisites for the Cisco DNA Spaces: Connector• The Cisco DNA Spaces: Connector must be able to connect to the Cisco wireless controller (controller)on port 16113 over TCP and SNMP Ports 161/162 over UDP.

• For US and APJC setups, the Cisco DNA Spaces: Connector must be able to reachhttps://connector.dnaspaces.io (IP addresses: Primary- 52.20.144.155, 34.231.154.95 DisasterRecovery-54.176.92.81, 54.183.58.225).

Enable port 80 on the firewall to ensure reachability.Note


https://connector.dnaspaces.io

• For EU setup, the Cisco DNASpaces: Connector must be able to reach https://connector.dnaspaces.eu(IP addresses: Primary- 63.33.127.190, 63.33.175.64 Disaster Recovery-Recovery: 3.122.15.26,3.122.15.7).

Enable port 80 on the firewall to ensure reachability.Note

• The Cisco DNA Spaces: Connector should be able to reach the Cisco DNA Spaces endpoints forestablishing data connectivity with Cisco DNA Spaces.

• Ensure that you white-list https://www.cisco.com and cisco.com domains.

• For both SNMP (Simple Network Management Protocol) Versions, v2C and v3, you require read-writepermissions for registering the Cisco DNASpaces: Connector certificate with the Cisco wireless controller(controller).

• If you are using Cisco wireless controller (controller) cloud connect or if Cisco DNA Spaces servicesare enabled, ensure that Cisco DNA Spaces is disabled on your controller by executing the followingcommand:config cloud-services cmx disable

. After disabling, save the configurations.

• The controller IP you configure in the Cisco DNA Spaces dashboard must be able to reach the CiscoDNA Spaces: Connector.

• CiscoDNASpaces: Connector can access the Internet ControlMessage Protoco (ICMP) and communicatewith the Domain Name System (DNS) server and the proxy (if an explicit proxy is configured) throughICMP.

• VMware ESXi 6.5 or above.

Downloading and Deploying the Cisco DNA Spaces: ConnectorOVA

This task shows you how to deploy and configure the Cisco DNA Spaces: Connector and obtain the URL forthe web UI of the Connector

SUMMARY STEPS

1. Download the Cisco DNA Spaces: Connector from Connector 2.2.2. Create a virtual machine in the ESXi server and deploy the downloaded Cisco DNA Spaces: Connector

OVA. You can log in to the terminal and enter the default username and password.3. Enter the network settings by specifying the parameters such as IP address, host name, and so on that you

want to configure on the Cisco DNA Spaces: Connector.4. Enter the timezone.5. Enter Network Time Protocol (NTP) setting or leave it blank.6. Set the password for the root user and cmxadmin user.7. Copy the URL for the Cisco DNA Spaces: Connector Web UI before the automatic reboot.


SetupDownloading and Deploying the Cisco DNA Spaces: Connector OVA

https://connector.dnaspaces.eu

https://www.cisco.com

cisco.com

https://software.cisco.com/download/home/286323456/type/286322783/release/Spaces%20Connector%202.2

DETAILED STEPS

Step 1 Download the Cisco DNA Spaces: Connector from Connector 2.2.Figure 1: Software Download

Step 2 Create a virtual machine in the ESXi server and deploy the downloaded Cisco DNA Spaces: Connector OVA. You canlog in to the terminal and enter the default username and password.

Step 3 Enter the network settings by specifying the parameters such as IP address, host name, and so on that you want to configureon the Cisco DNA Spaces: Connector.



https://software.cisco.com/download/home/286323456/type/286322783/release/Spaces%20Connector%202.2

Figure 2: Enter Network Settings

As this configuration screen times out in sixty seconds, ensure you provide the input in time to avoidreconfiguring.

Note

Step 4 Enter the timezone.



Step 5 Enter Network Time Protocol (NTP) setting or leave it blank.Figure 3: Enter NTP setting

Step 6 Set the password for the root user and cmxadmin user.Figure 4: Setting username and password



Step 7 Copy the URL for the Cisco DNA Spaces: Connector Web UI before the automatic reboot.Figure 5: Copy the Controller Web UI address

Creating a Connector and Retrieving a Token for it from CiscoDNA Spaces

Now that the Cisco DNA Spaces: Connector OVA has been deployed and configured with an IP address, youcan log in to the Cisco DNA Spaces: Connector using a web browser with the HTTPS link provided. TheCisco DNA Spaces: Connector can now be connected to the Cisco DNA Spaces.

A token must be generated for each Cisco DNA Spaces: Connector that you add to Cisco DNA Spaces. Thistoken is used to connect Cisco DNA Spaces with Cisco DNA Spaces: Connector. Each token is specific, andhence enables the Cisco DNA Spaces to identify the Cisco DNA Spaces: Connector.

Cisco DNASpaces enables you to add CiscoDNASpaces: Connector from the CiscoDNASpaces dashboard.Cisco DNA Spaces supports multiple Cisco DNA Spaces: Connector and each Cisco DNA Spaces: Connectorcan be associated with multiple Cisco wireless controller (controller).

Step 1 Log in to Cisco DNA Spaces.Step 2 From the left navigation pane, choose Setup > Wireless Networks.Step 3 In the Get your wireless network connected with Cisco DNA Spaces area, click Add New.


SetupCreating a Connector and Retrieving a Token for it from Cisco DNA Spaces

Step 4 Click Select for Cisco AireOS/Catalyst.

Step 5 In the Via Spaces Connector area, click Select.



Step 6 In the Prerequisites for Spaces Connector window that is displayed, click Customize Setup.

Step 7 Expand the Connect via Spaces Connector area using the respective drop-down arrow.



Step 8 In the list of steps that are displayed, click Create New Token that is listed as the second step.



Step 9 In the Create a new token window, enter the name of the connector.

Step 10 Click Generate Token.Step 11 In the window that appears, enter your Cisco DNA Spaces login credentials, and click Submit.Step 12 In the window that appears, click Copy to copy the token string.



Activating the Cisco DNA Spaces: ConnectorNow that the Cisco DNA Spaces: Connector OVA has been deployed and configured with an IP address, youcan log in to the Cisco DNA Spaces: Connector using a web browser with the HTTPS link provided. TheCisco DNA Spaces: Connector can now be connected to the Cisco DNA Spaces.

SUMMARY STEPS

1. Launch the Cisco DNA Spaces: Connector using the HTTPS address provided at the OVA deployment,https://<IP-address>/. In the Cisco DNA Spaces: Connector window that opens up, enter the usernameand password that was configured earlier.

2. Click the settings (gear button) on the top-right and choose Configure Token and add the token receivedfrom Cisco DNA Spaces and click Save.

3. Observe the health of various connections, as illustrated below:

DETAILED STEPS

Step 1 Launch the Cisco DNA Spaces: Connector using the HTTPS address provided at the OVA deployment,https://<IP-address>/. In the Cisco DNA Spaces: Connector window that opens up, enter the username and password thatwas configured earlier.

Step 2 Click the settings (gear button) on the top-right and choose Configure Token and add the token received from CiscoDNA Spaces and click Save.

After entering the token, you may have to wait a fewminutes for the Cisco DNA Spaces: Connector to initialize,as images take a while to download. The actual duration is dependent on the speed of your connection. Thestatus changes from Configuring Token to Retrieving Connector Status. You can notice that the ConfigureToken notification option is automatically removed from the Cisco DNA Spaces: Connector Web UI.

Note


SetupActivating the Cisco DNA Spaces: Connector

Step 3 Observe the health of various connections, as illustrated below:

• Running: Status in the top-right indicates that the Cisco DNA Spaces: Connector is up and running

• Control Channel: Health of connection between Cisco DNA Spaces: Connector and DNA Spaces Cloud

• Data Channel: Health of connection between Cisco DNA Spaces: Connector and Cisco DNA Spaces

• Controller Details: NMSP connection between Cisco DNA Spaces: Connector and Cisco wireless controller(controller)Figure 6: Connector Details

The following image shows a Cisco DNA Spaces: Connector that is not up and running.



C H A P T E R 3Configuring a Proxy

In the Cisco DNA Spaces: Connector window, you can also configure the proxy and other privacy settings.Setup proxy to connect the Cisco DNA Spaces: Connector to the Cisco DNA Spaces. This is required only ifyour virtual machine hosting the Cisco DNA Spaces: Connector is behind a proxy. Without this proxyconfiguration, the Cisco DNA Spaces: Connector is unable to communicate with the Cisco DNA Spaces.

SUMMARY STEPS

1. SSH into the Cisco DNA Spaces: Connector CLI interface. Copy the proxy certificate file to a locationaccessible by cmxadmin user.

2. (Optional) Run the setproxycert command from the CLI3. Return to the Cisco DNA Spaces: Connector WebUI and click Set Up HTTP Proxy. Enter your proxy

address in the dialog box displayed.

DETAILED STEPS

Step 1 SSH into the Cisco DNA Spaces: Connector CLI interface. Copy the proxy certificate file to a location accessible bycmxadmin user.Username:~ username$ scp ~/Downloads/cert.pem [email protected]:~ username$ ssh [email protected]@x.x.x.x's password:Last failed login: Mon Oct 22 23:54:08 UTC 2018 from x.x.x.x on ssh:nottyThere were 4 failed login attempts since the last successful login.Last login: Mon Oct 22 22:43:17 2018 from x.x.x.x

Step 2 (Optional) Run the setproxycert command from the CLI[cmxadmin@connector ~]$ connectorctl setproxycert cert.pemNew cert exists.Restarting connector container ...Connector container was restarted.setProxyCert successful.

Step 3 Return to the Cisco DNA Spaces: Connector WebUI and click Set Up HTTP Proxy. Enter your proxy address in thedialog box displayed.


Figure 7: Setup Proxy

Figure 8: Setup Proxy

• Troubleshooting Proxy Configuration, on page 20

Troubleshooting Proxy Configuration

SUMMARY STEPS

1. SSH into the Cisco DNA Spaces: Connector CLI interface and ping the proxy server IP address.2. In the Cisco DNA Spaces: Connector CLI, verify whether a connection can be established to

dms.dnaspaces.io and connector.dnaspaces.io through the proxy.3. If you are getting certificate errors such as curl: (60) Peer's certificate issuer has been marked as not

trusted by the user, perform the following steps to add a proxy server certificate to the Cisco DNA Spaces:Connector.

4. Ensure that the certificate is valid by verifying the output of one of the following commands and ensuringthat the output it is HTTP/1.1 200 OK.

• For Transparent proxies:curl -vvv https://connector.dnaspaces.io --cacert <cert>

• For Explicit proxies:


SetupTroubleshooting Proxy Configuration

curl -vvv https://connector.dnaspaces.io --proxy http://<proxy server IP>:<port>--cacert <cert>

The curl command is available only in Cisco DNA Spaces: Connector version2.1

Note

5. If the previous steps do not resolve the issue, then you must include the dnaspaces.io domain in theallowed list for your proxy, and exclude it from HTTPS decryption (if enabled on your proxy).

DETAILED STEPS

Step 1 SSH into the Cisco DNA Spaces: Connector CLI interface and ping the proxy server IP address.Step 2 In the Cisco DNA Spaces: Connector CLI, verify whether a connection can be established to dms.dnaspaces.io and

connector.dnaspaces.io through the proxy.docker container exec -it $(docker container ls -q) /bin/bash

curl -X GET -vvv https://connector.dnaspaces.io/ --proxy http://<proxy server IP>:<port>

• The curl command is available only in Cisco DNA Spaces: Connector version 2.1

• The docker command is available only in the root patch. Contact Customer Support for the same.

Note

If the connection is successful, the following result is shown:HTTP/1.1 200 OK

Step 3 If you are getting certificate errors such as curl: (60) Peer's certificate issuer has been marked as not trusted by the user,perform the following steps to add a proxy server certificate to the Cisco DNA Spaces: Connector.a) Retrieve the certificate used by the proxy, and copy it to the Cisco DNA Spaces: Connector.b) Run the connectorctl setproxycert command and check the output.

[cmxadmin@cmxadmin ~]$ connectorctl setproxycert squid.pem

New cert exists.Starting connector container ...Current version in database: latestContainer: [<Container: adlbledc71>]Running connector version: latestsetproxycert successful.[cmxadminQcmxadmin ~]$

The commandmay fail if you are using a transparent proxy or if you have not configured your proxy throughthe UI. This command can ensure if the certificate is configured correctly.

Note

c) Reconfigure the token on the Cisco DNA Spaces: Connector dashboard.

Step 4 Ensure that the certificate is valid by verifying the output of one of the following commands and ensuring that the outputit is HTTP/1.1 200 OK.

• For Transparent proxies:



curl -vvv https://connector.dnaspaces.io --cacert <cert>

• For Explicit proxies:curl -vvv https://connector.dnaspaces.io --proxy http://<proxy server IP>:<port> --cacert <cert>

The curl command is available only in Cisco DNA Spaces: Connector version 2.1Note

Step 5 If the previous steps do not resolve the issue, then you must include the dnaspaces.io domain in the allowed list for yourproxy, and exclude it from HTTPS decryption (if enabled on your proxy).

Attempting to perform HTTPS decryption on the dnaspaces.io domain can interfere with or prevent theWebsocket connections entirely.

Note



C H A P T E R 4Connecting a Connector to Cisco wirelesscontroller (controller)

Before you begin

• Deploy a Connector OVA and activate it using a token from Cisco DNA Spaces.

• The IP address of a Cisco wireless controller (controller) that is reachable from the Cisco DNA Spaces:Connector.

SUMMARY STEPS

1. Log in to Cisco DNA Spaces.2. In the Cisco DNA Spaces dashboard, choose Setup > Wireless Networks.3. Expand theConnect via Spaces Connector area using the respective drop-down arrow to display a list

of steps.4. To test the connectivity from the Connector to an existing controller, click Edit Controller from the

Step 3 Area.5. To add a new controller, click Add Controllers from the Step 3 Area.6. From the Connector drop-down list, choose a Connector.7. Enter the Controller IP address, Controller Name, and from the Controller Type drop-down list,

chooseWLC (AireOS) to connect to a Cisco wireless controller (controller).8. From the Controller SNMP Version drop-down list, choose the SNMP Version of the controller.

• If you choose the SNMP version as v2C, specify the SNMP read-write community.• If you choose the SNMP version as v3, specify the SNMP v3 version username, password, andauthentication protocol credentials. Ensure that SNMP v3 has read-write permissions on thecontroller.

9. Click Test Connectivity to run test PING and SNMP functionalities to the connector from Cisco DNASpaces. This test checks reachability and the credentials provided.

10. Click Save and Close.

DETAILED STEPS

Step 1 Log in to Cisco DNA Spaces.Step 2 In the Cisco DNA Spaces dashboard, choose Setup > Wireless Networks.


Step 3 Expand the Connect via Spaces Connector area using the respective drop-down arrow to display a list of steps.Step 4 To test the connectivity from the Connector to an existing controller, click Edit Controller from the Step 3 Area.

a) Click the pencil icon to edit a controller.b) Choose an active Connector from the Connector drop-down list to enable the Test Connectivity button.c) Go to Step 9.

Step 5 To add a new controller, click Add Controllers from the Step 3 Area.

Step 6 From the Connector drop-down list, choose a Connector.Step 7 Enter the Controller IP address, Controller Name, and from the Controller Type drop-down list, chooseWLC

(AireOS) to connect to a Cisco wireless controller (controller).

Step 8 From the Controller SNMP Version drop-down list, choose the SNMP Version of the controller.

• If you choose the SNMP version as v2C, specify the SNMP read-write community.• If you choose the SNMP version as v3, specify the SNMP v3 version username, password, and authenticationprotocol credentials. Ensure that SNMP v3 has read-write permissions on the controller.

Both SNMP v2c and SNMP v3 must have read-write permission in the controller to register the Cisco DNASpaces: Connector certificate on the controller. The Cisco DNA Spaces: Connector doesn't support SNMPv1.

Note


Setup

Figure 9: Adding a Catalyst WLC Controller

Step 9 Click Test Connectivity to run test PING and SNMP functionalities to the connector from Cisco DNA Spaces. Thistest checks reachability and the credentials provided.

Test Connectivity is enabled only when an active Connector is chosen.Figure 10: List of Connectors and their states


Setup

Table 2: Error Description

Displayed Test Connectivity MessageStatus of SNMP Credential TestStatus of PING

Connectivity test is successfulSUCCESSFULSUCCESSFUL

Ping test to the controller is successful.But SNMP test has failed. Please check

a. Is SNMP enabled on thecontroller?

b. Is the SNMP port 161 of thecontroller reachable from theConnector?

c. Have you provided accurateSNMP read-write credentials?

FAILEDSUCCESSFUL

Connectivity test is successfulSUCCESSFULFAILED

Both PING and SNMP test to thecontroller have failed. Please check:

a. Is there IP connectivity betweenConnector and controller?

b. Is SNMP enabled on thecontroller?

c. Is the SNMP port 161 of thecontroller reachable from theConnector?

d. Have you provided accurateSNMP read-write credentials?

FAILEDFAILED

Step 10 Click Save and Close.

You can see the new controller in theView Controllerswindow. The controller that is connected to the CiscoDNA Spaces: Connector successfully appears as active. It takes approximately five minutes for the controllerto be shown as Active.You must refresh your window to view the status change.

The controller added also gets listed in the ControllerDetails window of the Cisco DNA Spaces: Connector.


Setup

You can add multiple Cisco wireless controller (controller) to a Cisco DNA Spaces: Connector.

Now the added Cisco wireless controller (controller) is available for import in the Cisco DNA Spaces locationhierarchy.


Setup


Setup

C H A P T E R 5Connecting a Connector to Cisco Catalyst 9800Series Wireless Controllers

Before you begin

• Deploy a Connector OVA and activate it using a token from Cisco DNA Spaces.

• The IP address of a Cisco Catalyst 9800 Series Wireless Controllers that is reachable from the CiscoDNA Spaces: Connector.

.

SUMMARY STEPS

1. Log in to Cisco DNA Spaces.2. In the Cisco DNA Spaces dashboard, choose Setup > Wireless Networks.3. Expand theConnect via Spaces Connector area using the respective drop-down arrow to display a list

of steps.4. To test the connectivity from the Connector to an existing controller, click Edit Controller from the

Step 3 Area.5. To add a new controller, click Add Controllers from the Step 3 Area.6. From the Connector drop-down list, choose a Connector.7. Enter the Controller IP address, Controller Name, and from the Controller Type drop-down list,

choose Catalyst WLC to connect to a Cisco Catalyst 9800 Series Wireless Controllers.8. Do one of the following:

• Enter Netconf username, Netconf password, and Enable password. This choice is preferred asthe Connector can gracefully recover from NMSP drops and push a fresh configuration to thecontroller whenever required. If the enable password is not configured on Cisco Catalyst 9800Series Wireless Controllers, you can skip configuring the Enable password in this step.

• Push configurations to the controller by copying the configuration commands in theCatalystWLCCLI commands section and running them manually on the controller command-line interface.

9. (Optional) Run the PING and SSH functionalities to test reachablity and credentials and then click TestConnectivity. Test Connectivity is enabled only when an active Connector is chosen.

10. Click Save and Close.


DETAILED STEPS

Step 1 Log in to Cisco DNA Spaces.Step 2 In the Cisco DNA Spaces dashboard, choose Setup > Wireless Networks.Step 3 Expand the Connect via Spaces Connector area using the respective drop-down arrow to display a list of steps.Step 4 To test the connectivity from the Connector to an existing controller, click Edit Controller from the Step 3 Area.

a) Click the pencil icon to edit a controller.b) Choose an active Connector from the Connector drop-down list to enable the Test Connectivity button.c) Go to Step 8.

Step 5 To add a new controller, click Add Controllers from the Step 3 Area.

Step 6 From the Connector drop-down list, choose a Connector.Step 7 Enter the Controller IP address, Controller Name, and from the Controller Type drop-down list, choose Catalyst

WLC to connect to a Cisco Catalyst 9800 Series Wireless Controllers.Step 8 Do one of the following:

• Enter Netconf username, Netconf password, and Enable password. This choice is preferred as the Connectorcan gracefully recover from NMSP drops and push a fresh configuration to the controller whenever required. If


Setup

the enable password is not configured on Cisco Catalyst 9800 SeriesWireless Controllers, you can skip configuringthe Enable password in this step.

• Push configurations to the controller by copying the configuration commands in theCatalystWLCCLI commandssection and running them manually on the controller command-line interface.

Step 9 (Optional) Run the PING and SSH functionalities to test reachablity and credentials and then click Test Connectivity.Test Connectivity is enabled only when an active Connector is chosen.Figure 11: Adding a Catalyst WLC Controller

Table 3: Error Description

Displayed Test Connectivity MessageStatus of SSH Credential TestStatus of PING

Connectivity test is successfulSUCCESSFULSUCCESSFUL


Setup

Displayed Test Connectivity MessageStatus of SSH Credential TestStatus of PING

Ping test to the controller is successful.But SSH test has failed. Please check

a. Is SSH enabled on the controller?

b. Is the SSH port 22 of the controllerreachable from the Connector?

c. Have you provided accurate SSHread-write credentials?

FAILEDSUCCESSFUL

Connectivity test is successfulSUCCESSFULFAILED

Both PING and SSH test to thecontroller have failed. Please check:

a. Is there IP connectivity betweenConnector and controller?

b. Is SSH enabled on the controller?

c. Is the SSH port 22 of the controllerreachable from the Connector?

d. Have you provided accurate SSHread-write credentials?

e. Is AAA enabled with localauthentication?

f. Are you not using the Gig0interface for NMSP and SSHconnectivity?

FAILEDFAILED

Step 10 Click Save and Close.

You can see the new or edited controller in the View Controllers window. The controller that is connectedto the Cisco DNA Spaces: Connector successfully appears as active. It takes approximately five minutes forthe controller to be shown as Active.You must refresh your window to view status change.

The controller also gets listed in the Controller Details window of the Cisco DNA Spaces: Connector.


Setup

You can add multiple Cisco wireless controller (controller) to a Cisco DNA Spaces: Connector.

Now the added Cisco wireless controller (controller) is available for import in the Cisco DNA Spaces locationhierarchy.


Setup


Setup

P A R T IIILocation Heirarchy

• Importing a Cisco wireless controller (controller) to the Cisco DNA Spaces Location Hierarchy, on page37

C H A P T E R 6Importing a Cisco wireless controller (controller)to the Cisco DNA Spaces Location Hierarchy

Before you begin

To import a Cisco wireless controller (controller) (controller) to the Cisco DNA Spaces location hierarchy,ensure that the Cisco wireless controller (controller) is connected to the Cisco DNA Spaces: Connector. SeeConnecting a Connector to Cisco wireless controller (controller), on page 23

This task is not applicable if you want to use map services for importing the locations to Cisco DNA Spaces.For instructions, refer to Importing Locations to the Location Hierarchy Using Map Services in the CiscoDNA Spaces configuration guide.

Note

Step 1 Log in to Cisco DNA Spaces.Step 2 From the left navigation pane, choose Setup > Wireless Networks.Step 3 Expand the Connect via Spaces Connector area using the respective drop-down arrow.


https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/DNA-Spaces/cisco-dna-spaces-config/dnaspaces-configuration-guide/Hierarchy-Location.html#importinglocations

Step 4 In the list of steps that are displayed, click Import Controller listed as the fourth step.


Location Heirarchy

You can see a list of locations and previously added controllers.Step 5 Do one of the following:

• Choose an already imported controller. You can import new controllers and add them as other controllers to thiscontroller.


Location Heirarchy

• Choose a location where you want to import the controller to.

If the APs of the controllers are grouped as networks based on the naming convention, those network names appear.If you want to maintain the same grouping, select the networks. If the APs are not grouped, network names are notdisplayed.


Location Heirarchy

Step 6 Click Next and Finish.


Location Heirarchy


Location Heirarchy

P A R T IVConfigure Privacy Settings

• Configuring Privacy Settings: MAC and Username Salt , on page 45

C H A P T E R 7Configuring Privacy Settings: MAC and UsernameSalt

You can hide your MAC address and username using hash values termedMAC salt and Username saltrespectively. These salts are used to mask the MAC address in the docker connector. This step is optional.

You can pass theMAC and username SALT to the connector container using the Cisco DNASpaces: ConnectorWeb UI Privacy settings.



Configure Privacy Settings

P A R T VConfigure AAA

• Configure AAA, on page 49

C H A P T E R 8Configure AAA

• Information About AAA, on page 49• Configure AAA, on page 49

Information About AAAYou can now forward connector authentications to a remote Authentication, Authorization, and Accounting(AAA) server (and bypass local authentication). You can use the command line to configure AAA. AAAauthenticated users can access the connector Web UI with the same access rights as the cmxadmin user. Thecmxadmin user no longer has these access rights.

In case the AAA configuration is incorrect, you can use the cmxadmin user to access the Web UI.Note

By default, the communication between connector and the AAA server is via User Datagram Protocol (UDP).During configuration, you can choose to encrypt this traffic using the IPSec Protocol. The supported IPSecauthentication types are pubkey and PSK.

For the pubkey authentication type, provide a CA certificate file of AAA Server (PEM format).

For the PSK authentication type, choose to autogenerate the PSK or provide PSK configured in AAA server.

Configure AAATo configure AAA, perform the following steps.

Before you begin

• To enable IP Security using Pubkey authentication type, copy a CA Certificate to the Authentication,Authorization, and Accounting (AAA) server and rename it as radiusca.pem.

SUMMARY STEPS

1. connectorctl aaa enable2. connectorctl aaa edit


3. On the Connector Web UI, check the AAA status in the AAA Status field

DETAILED STEPS

Step 1 connectorctl aaa enable

Example:[cmxadmin@cmxnew-01 ~]$ connectorctl aaa enableDo you want to configure AAA Server? [yes/no] [yes]:Enter AAA Server Host IP : 10.22.244.114Enter AAA Server Port [1812]:Enter AAA Server's shared secret key :Repeat for confirmation:Do you want to enable IPSec? (y/n) [n]:

AAA Server configured successfullyConnection to AAA Server Successful. AAA Settings are correct.[cmxadmin@cmxnew-01 ~]$

Enable AAA.

Step 2 connectorctl aaa edit

Example:

This example configures AAA with IP Security with Pubkey Authentication type.[cmxadmin@cmxnew-01 ~]$ connectorctl aaa editDo you want to CHANGE AAA Server settings? [yes/no] [yes]:Enter AAA Server Host IP [10.22.244.114]:Enter AAA Server Port [1812]:Enter AAA Server's shared secret key :Repeat for confirmation:Do you want to enable IPSec? (y/n) [n]: yEnter AAA Server's DNS name : aaa-srv-01Select IPSec Auth Type: (pubkey/psk) [pubkey]:AAA Server's CA Certificate file : radiusca.pem

AAA Server configured successfullyConnection to AAA Server Successful. AAA Settings are correct.IPSec is EnabledIPSec Status:Security Associations (1 up, 0 connecting):

aaa[1]: ESTABLISHED 0 seconds ago, 10.22.244.100[cmxnew-01]...10.22.244.114[aaa-srv-01]aaa{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6c620cb_i c06dcc78_oaaa{1}: 10.22.244.100/32 === 10.22.244.114/32

Example:

This example configures AAAwith IP Security with PSKAuthentication type, providing the PSK value from the RADIUSserver.[cmxadmin@cmxnew-01 ~]$ connectorctl aaa editDo you want to CHANGE AAA Server settings? [yes/no] [yes]:Enter AAA Server Host IP [10.22.244.114]:Enter AAA Server Port [1812]:Enter AAA Server's shared secret key :Repeat for confirmation:Do you want to enable IPSec? (y/n) [y]:Enter AAA Server's DNS name [aaa-srv-01]:Select IPSec Auth Type: (pubkey/psk) [pubkey]: pskDo you want to auto-generate ('a') OR provide ('p') PSK from Radius Server ? [a]: p


Configure AAAConfigure AAA

Enter PSK from Radius Server : 7dBoZXAkhadFMsyJ8e9HsBxdajnUPcxS

AAA Server configured successfullyConnection to AAA Server Successful. AAA Settings are correct.IPSec is EnabledIPSec Status:Security Associations (1 up, 0 connecting):

aaa[1]: ESTABLISHED 1 second ago, 10.22.244.100[cmxnew-01]...10.22.244.114[aaa-srv-01]aaa{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c59d3960_i cf338432_oaaa{1}: 10.22.244.100/32 === 10.22.244.114/32aaa{2}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c75d414b_i c7e495e2_oaaa{2}: 10.22.244.100/32 === 10.22.244.114/32

Example:

This example configures AAA with IP Security with PSK Authentication type and autogenerating a new PSK value.[cmxadmin@connector-01 ~]$ connectorctl aaa edit[cmxadmin@connector-01 ~]$ connectorctl aaa editDo you want to CHANGE AAA Server settings? [yes/no] [yes]:Enter AAA Server Host IP [10.22.244.114]:Enter AAA Server Port [1812]:Enter AAA Server's shared secret key :Repeat for confirmation:Do you want to enable IPSec? (y/n) [y]:Enter AAA Server's DNS name [aaa-srv-01]:Select IPSec Auth Type: (pubkey/psk) [psk]:Do you want to auto-generate ('a') OR provide ('p') PSK from Radius Server ? [a]: aGenerated PSK value = 3AhBgueQQ6YBkKMwqIr6jyxIuG9ekw8g

AAA Server configured successfullyConnection to AAA Server Successful. AAA Settings are correct.IPSec is EnabledIPSec Status:Security Associations (0 up, 0 connecting):no match

The IP Security status indicates zero security associations indicating that the IP Security tunnel isn't yet establishedsuccessfully. You can verify the same a few seconds later using the connectorctl aaa show command and comparingthe PSK values.[cmxadmin@connector-01 ~]$ connectorctl aaa showAAA Server is EnabledAAA Server IP: 10.22.244.114AAA Server Port: 1812Shared Secret: **<<masked>>**

IPSec is EnabledAAA Server DNS: aaa-srv-01IPSec Auth type: pskIPSec PSK: 3AhBgueQQ6YBkKMwqIr6jyxIuG9ekw8gIPSec Status:Security Associations (1 up, 0 connecting):

aaa[3]: ESTABLISHED 20 seconds ago, 10.22.244.100[connector-01]...10.22.244.114[aaa-srv-01]

aaa{3}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: ca4688d1_i c24be7d9_oaaa{3}: 10.22.244.100/32 === 10.22.244.114/32

Connection to AAA Server Successful. AAA Settings are correct.

Edit an existing AAA configuration.

Step 3 On the Connector Web UI, check the AAA status in the AAA Status field



Figure 12: AAA Enabled with IP Security and PubKey

Figure 13: AAA Enabled without IP Security

AAA is enabled.

What to do next

You can disable AAA using the connectorctl aaa disable command. If you have IPSec enabled , you canchoose to restart the IPSec tunnel using the connectorctl aaa restart command, if necessary



Cisco DNA Spaces: Connector Configuration Guide · Convention Indication...

Documents

Transcript of Cisco DNA Spaces: Connector Configuration Guide · Convention Indication...