Cisco DNA: Sensor test with EAP-TLS

I was configuring a wireless Sensor in DNAC and ran into a few issues so I’ll post my finding here.

First of all, you need to properly configure Sensor DHCP scope. Options 43 and 42 will be needed. Note that option 43 has the IP of DNAC.

ip dhcp pool dnac_1800_sensor

option 43 ascii “5A1N;B2;K4;I172.19.45.222;J80”

As described in this article, option 43 string has the following components, delimited by semicolons:

    • 5A1N;—Specifies the DHCP suboption for Plug and Play, active operation, version 1, no debug information. It is not necessary to change this part of the string.

    • B2;—IP address type:

      • B2 = IPv4 (default)
    • Ixxx.xxx.xxx.xxx;—IP address or hostname of the APIC-EM controller/DNAC (following a capital letter i). In this example, the IP address is 172.19.45.222.

  • Jxxxx—Port number to use to connect to the APIC-EM controller/DNAC. In this example, the port number is 80. The default is port 80 for HTTP and port 443 for HTTPS.

option 42 ip <NTP IP>

  • This option specifies a list of the NTP servers available to the client by IP address.

Once the sensor is on the network and joined to DNAC it is time to setup Sensor-driven tests under Assurance > Manage.

The test setup is very straight forward, however, I ran into an issue where PEAP or EAP-TLS tests were failing. Long story short it turned out to be a bug so always check for new AP images on CCO.

Once I had new image and PEAP tested good I moved on to EAT-TLS test setup. There is literally no documentation on how to set it up. When you pick EAP-TLS for EAP method there is an option to add the certificate.

Not a lot of details on what this certificate should look like and what it should contain. Also, certificate file extension is a bit confusing.

Proper file format should be .pfx and should contain the following:

  • Device certificate
  • Private Key
  • Signing Root
  • Signing Intermediate (if applicable)

In order to build this file, I used OpenSSL with the following command (when command is executed you will be asked for a password to protect it). Make sure to include full signing certificate chain as without it will fail.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

where

  • certificate.pfx – the file to use in DNAC
  • certificate.crt – Device certificate
  • privateKey.key – Private Key
  • CACert.crt – bundled signing Root and Intermediate in one text file. Separate the 2 with begin certificate and end certificate.

Great free program to check contents of your final pfx file when it is done is xca. For example, below is contents of .pfx file where we see the key, cert, and 2 CA’s. Red cross means certificates are not trusted because they were internally signed.

Once your certificate is built and verified you can import it into DNAC and Sensor-driven EAP-TLS test will succeed.

I was going through all of these exercises to have a device on wireless network to proactively monitor and report when there is an issue with EAP-TLS authentication. Once I was past the monitor phase I was puzzled to find out there is no simple alerting mechanism build into DNAC (email, Syslog or SNMP) and additional integration was required.TBC.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar