## DNAC HA

The DNAC is currently sold as an appliance (part number DN1-HW-APL). It costs a whopping \$80k list per box! So why do you need three of them when doing a HA setup?

It is because of Quorum. The definition of quorum is:

"The number of members of a group or organization required to be present to transact business legally, usually a majority."

- source: dictionary.com

Say you only have two hosts in a cluster. If they get partitioned, who should take the role of servicing the network and maintaining the database? This is where quorum comes into play. When you have a three node cluster and one of them loses network connectivity to the other two nodes, the “majority” of nodes lies with the two nodes that can see each other. Quorum is obtained and DNAC continues to function. Now data consistency is also ensured when the network to the isolated single host is restored. This is also the reason why you can only survive losing a single DNAC host. If all three gets cut off from each other, you will need to isolate one of them and reinitialize the other two – one at a time.

This fact about quorum is very important when deciding where to place the nodes. First of all they must be layer 2 adjacent. Second they should be physically close to each other. At least two of them. If you have a data center with two sites, perhaps it would be a good idea to place one of the DNAC boxes at one site and two of them together at the other site.

Split Brain and Network Partition
Recover Failed Hosts in a Cluster

## DNAC – External Authentication with ISE Radius

You probably want to use an existing Identity Store such as Active Directory when managing your network infrastructure – including DNAC. Below is a guide on how to configure this functionality.

When you enable external authentication in DNAC it will not exempt you from using the locally defined users on DNAC – at least not the built-in admin user.

# DNAC External Authentication Configuration

Locate the “External Authentication” page in Settings -> System Settings -> Users

Here you define your ISE server IP address and the shared secret. Lastly you tick off the “Enable External User”. Do NOT modify the “AAA Attribute” default setting of “Cisco-AVPair”.

I assume you already have ISE integrated with Active Directory. We must add the Active Directory group to ISE for use in the policy set later.

Go to Administration -> Identity Management -> External Identity Store -> AD (or whatever you called your Active Directory store) -> Groups

To configure ISE to let DNAC use it as a AAA server, you must first add DNAC  as a Network Device in ISE.

Go to Administration -> Network Resources -> Network Devices

Here you add the DNAC by filling out the Name, IP address, Device Profile (Cisco), and Shared Secret:

Next go to Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols

Add a new Allowed Protocol Service like this:

Under Policy -> Policy Elements -> Results -> Authorization -> Authorization Profiles you add a new authorization profile for the ACCESSS-ACCEPT message we’ll use later in our policy set.

I called mine DNAC_Super_Admin, but the important part is the Advanced Attributes Settings where you must select Cisco:cisco-av-pair=Role=SUPER-ADMIN-ROLE

Attributes Details in the bottom should read:

Access Type = ACCESS_ACCEPT
cisco-av-pair = Role=SUPER-ADMIN-ROLE

Finally we should be able to create the policy set. Go to Policy -> Policy Sets and add a new policy for our DNAC-Admin policy:

Once created using the DNAC IP address as a condition, save it and modify it by clicking on the sign to the far right of the policy.

Now we can put in the Identity Store AD under the Authentication Policy and add an Authorization Policy containing the DNAC-Admins group as a condition and our DNAC_Super_Admin profile:

Hit save and you should be good to go.

Now in DNAC under Settings -> System Settings -> Users -> External Authentication you should see the external Users that have successfully logged on.

## DNA Center – Reinstall

If you messed up your DNAC or just want to start over, you can do so by downloading the ISO for the appliance. Get the ISO on the below link:

If you use Rufus or any other tools for the USB installer creation, it might not work due to insanely long file names in the ISO.

You must also NOT mount the ISO with CIMC and install over the network. Although it might work, Cisco discourages using this approach, because they’ve seen many installs go bad. I’ve been there, too!

Be sure to read the release notes carefully! Especially regarding the order of which you install packages after the initial ISO install.

That’s it for this post. I hope you get your DNAC up and running! And remember that SDA is a journey and it will take time – a lot of time!

## DNAC Integration with ISE using a self-signed Certificate

NOTE! Using ISE 2.3p3 is not an option due to CSCvi94778

If you’re deploying a DNAC and you want to integrate with ISE, you might have read the following documents:

I did and ended up with this error in DNAC when adding ISE:

Clearly this is a certificate error. The thing is that Cisco mentions that SAN (Subject Alternate Name) is essential for the trust between DNAC and ISE. They state this:

The IP address or FQDN of both Cisco ISE and DNA Center should be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

So I decided to use DNS for my SAN and got the above error! A colleague of mine decided to go with IPs instead which worked! Here is how you do it.

Create a file named req.conf with the following content:

[ ca ]
default_ca = CA_default

[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[req_distinguished_name]
C = DK
O = MyCompany
CN = dnac.sda.domain.lab

[alternate_names]
IP.1 = 10.0.0.101
IP.2 = 10.0.0.201
DNS.1 = dnac.sda.domain.lab

[v3_ca]
basicConstraints = CA:TRUE
subjectAltName = @alternate_names
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

[CA_default]
copy_extensions = copy

This serves as a configuration file for openssl. Specify both the real IP of the DNAC(s) and the VIP.

Next, use openssl to generate a self-signed certificate like this:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 1825 -config req.conf

The only thing needed is to upload the new certificate to DNAC. Browse to Settings -> Certificate and click Replace Certificate.

Click Upload/Activate and wait for 5-10 minutes. Refresh the page and you should be prompte to accept the newly (untrusted) certificate in your browser.

Now you can add ISE under Settings -> Authentication and Policy Servers

If it works, you should see this:

Now you must approve DNAC in ISE. Go to your ISE Web UI under Administration -> pxGrid Services

Here you’ll see this:

Select Total Pending Approval and select Approve all (click OK to confirm).

Now back to DNAC and you’ll see this:

All done. Success!