topic PnP line vty configuration in Controllers

PnP line vty configuration

Seb Rupik — Fri, 01 Mar 2019 12:38:07 GMT

Hello again,

I am encountering an issue where line vty configuration is not correctly being pushed to the switch. My template contains the following:

line con 0

logging synchronous

line vty 0

logging synchronous

line vty 1 15

session-timeout 150

authorization commands 15 DMZ-TACACS-SERVERS

authorization exec DMZ-TACACS-SERVERS

logging synchronous

transport input ssh

...the generated configuration listed against the switch shows the identical configuration. However after the config is deployed, the switch running config shows:

line con 0

logging synchronous

line vty 0

logging synchronous

line vty 1 4

session-timeout 150

logging synchronous

transport input ssh

line vty 5 15

session-timeout 150

logging synchronous

transport input ssh

...missing crucial AAA methods! The deployment ends in an 'error' state with the following message:

Received response from pnp agent for message correlatorId: CiscoPnP-1.0-15-324-EBF7F68-13 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed

I assume this is because APIC-EM can not log into the switch with the AAA TACACS credentials used as part of the build process?

FYI 'line vty 0' is given different configuration as I can see via 'sh users' that it is used by the PnP process so thought I should not apply the TACACS AAA methods to it.

Is there any log file buried within APIC-EM which would show me why only some of the config is being applied?

cheers,

Seb.

Re: PnP line vty configuration

aradford — Thu, 11 May 2017 14:47:43 GMT

Hi Seb,

this is an issue with the way the pnp agent on the device handles the "aaa authorisation" commands.

There is a solution with IOS 16.3 code, however, there is also a workaround I published using an EEM script in a blog post.

Network Automation with Plug and Play (PnP) – Part 7

In your case, you should add the VTY aaa commands to the EEM script too.

Adam

Re: PnP line vty configuration

Seb Rupik — Thu, 11 May 2017 21:26:38 GMT

Hi Adam,

You're certainly the guy with all the answers. This deployment is for a 3560CX so will give the EEM script a try. Do you know if there will be a fix for switches that can't run code higher that 15.x ?

Thanks again,

Seb.

Re: PnP line vty configuration

aradford — Fri, 12 May 2017 13:13:39 GMT

Some answers... 🙂

From release notes:

AAA device credential support. The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release IOS 15.6(3)M1, IOS XE 16.3.2, or IOS XE 16.4 or later on the device.

Let me know how the EEM script goes.

Adam