Accepted Solutions
aradford, so you want all aaa commands in the EEM script^??
I just noticed this for software release 15.2(6)E1 which is the latest and greatest. 
Features Introduced in Cisco IOS Release 15.2(6)E1
- AAA command authorization is supported in Plug-n-Play (PnP) Agent: The PnP agent is enhanced to use credentials passed from the PnP server for TACACS or RADIUS authorization to complete PnP provisioning successfully.
So a upgrade might help here.
Alright I am getting some other issue after upgrading to 15.2.6(E1) it will not go into unclaim in my APIC, so I tried to modfiy my EEM script to this
event manager applet POST_PNP
event timer countdown time 90
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 2.0 cli command "aaa authorization config-commands"
action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"
action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"
action 2.3 cli command "aaa authentication login default group TACACS-ISE local"
action 2.4 cli command "aaa authorization exec default group TACACS-ISE local"
action 2.5 cli command "no event manager applet POST_PNP"
action 2.6 cli command "end"
action 2.7 cli command "wr mem"
action 3.0 cli command "end"
!
But this still not work for my devivices.
Stil getting this error:
2018-06-25 10:33:45 (Romance Daylight Time)Received response from pnp agent for message correlatorId: CiscoPnP-1.0-20-466-B0DE004-20 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed
So how can I get this fixed. Is there something wrong in my EEM script or??
Hi araford,
Year a 100% that there is no AAA auth in my config.
But I found out that if I leave these two commands out
aaa authorization commands 1 default group TACACS-ISE if-authenticated
aaa authorization commands 15 default group TACACS-ISE if-authenticated
I can have the rest in my "normal" configuration, then I just need to past in the 2 lines afterwords.
Here is my configuration that I normal use:
!Version 2.0
!
!
no service pad
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime localtime year
service password-encryption
!
logging buffered 100000 warnings
no logging console
no logging monitor
logging source-interface vlan 1
!
hostname ${LOCATION_ID}${SWITCH_TYPE}-${SWITCHTEXT}
!
!
errdisable recovery cause all
!
!
vlan 10
name VoIP
!
vlan 20
name PRODUCTION
!
!
ip default-gateway 10.${DG_OKTET_IP_2}.${DG_OKTET_IP_3}.1
!
lldp run
!
udld enable
!
!
ip dhcp snooping vlan 1,10,20
ip dhcp snooping information option format remote-id hostname
no ip dhcp snooping information option
ip dhcp snooping database flash:/snooping.txt
ip dhcp snooping
!
mls qos map policed-dscp 0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 26 34 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
!
class-map match-all IN-VOICE-SIG
match ip dscp cs3
class-map match-all IN-MULTIMEDIA-CONFERENCING
match ip dscp cs4 af41
class-map match-all OUT-CITRIX-OUT-VOICE-SIG
match ip dscp af31
class-map match-all OUT-VOICE
match ip dscp ef
class-map match-all IN-CITRIX
match access-group name IN-CITRIX
class-map match-all IN-VOICE
match ip dscp ef
!
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_DEFAULT_CLASS
police 10000000 8000 exceed-action policed-dscp-transmit
trust dscp
!
policy-map IN-MARKING
class IN-VOICE
set dscp ef
class IN-MULTIMEDIA-CONFERENCING
set dscp af41
class IN-CITRIX
set dscp af31
class IN-VOICE-SIG
set dscp af31
class class-default
set dscp default
!
!
crypto key generate rsa general-keys label SSH modulus 2048
ip ssh rsa keypair-name SSH
ip ssh version 2
!
line con 0
session-timeout 10
exec-timeout 10
logging synchronous
!
line vty 0 15
session-timeout 120
access-class 12 in
exec-timeout 120 0
transport preferred none
transport input ssh
!
!
no ip http server
no ip http secure-server
!
!
access-list 10 remark # CISCO PRIME #
access-list 10 permit 10.xxx.xxx.xxx
access-list 10 remark # CISCO APIC #
access-list 10 permit 10.xxx.xxx.xxx
access-list 10 remark # SOLARWWINDS #
access-list 10 permit 10.xxx.xxx.xxx
access-list 10 remark # JUMPSTATION WINDOWS #
access-list 10 permit 10.xxx.xxx.xxx
access-list 11 remark # CISCO PRIME #
access-list 11 permit 10.xxx.xxx.xxx
access-list 11 remark # CISCO APIC #
access-list 11 permit 10.xxx.xxx.xxx
access-list 11 remark # SOLARWWINDS #
access-list 11 permit 10.xxx.xxx.xxx
access-list 11 remark # JUMPSTATION WINDOWS #
access-list 11 permit 10.xxx.xxx.xxx
!
access-list 12 remark # CISCO PRIME #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # CISCO APIC #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # CISCO ANYCONNECT #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # SOLARWWINDS #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # SOLAR OFFICE #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # JUMPSTATION WINDOWS #
access-list 12 permit 10.xxx.xxx.xxx
!
ip access-list standard 13
deny any
ip access-list standard 14
permit 10.xxx.xxx.xxx
permit 10.xxx.xxx.xxx
permit 10.xxx.xxx.xxx
permit 10.xxx.xxx.xxx
!
ip access-list extended IN-CITRIX
permit tcp any any eq 1494
permit tcp any any eq 2598
!
aaa new-model
!
aaa group server tacacs+ TACACS-ISE
server name piseadms001.solar.eu
server name piseadms002.solar.eu
!
aaa authentication login default group TACACS-ISE local
aaa authorization exec default group TACACS-ISE local
!
aaa session-id common
!
!
ip domain-lookup
ip domain-name xxxxxxxx.com
ip name-server 10.xxx.xxx.xxx
ip name-server 10.xxx.xxx.xxx
ip name-server 10.xxx.xxx.xxx
!
!
vtp mode transparent
vtp domain xxxxxxxx.com
!
!
!
tacacs server piseadms001.solar.eu
address ipv4 10.xxx.xxx.xxx
key 7
tacacs server piseadms002.solar.eu
address ipv4 10.xxx.xxx.xxx
key 7
!
username xxxxxxxx privilege 15 secret
!
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
interface vlan 1
ip address 10.${VLAN_OKTET_IP_2}.${VLAN_OKTET_IP_3}.${VLAN_OKTET_IP_4} 255.255.240.0
no shutdown
!
!
snmp-server community antigoon RO 10
snmp-server community antigoon RW 11
snmp-server ifindex persist
snmp-server location ${SNMP_LOCATION_NAME}
snmp-server contact 5x5
!
ntp server 10.xxx.xxx.xxx
ntp server 10.xxx.xxx.xxx
ntp server 10.xxx.xxx.xxx
ntp server 10.xxx.xxx.xxx
!
!
ntp access-group serve 13
ntp access-group peer 14
!
!
!
interface range gig0/1-8
description OFFICE
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input IN-MARKING
!
!
interface range GigabitEthernet0/9-10
description UPLINK
logging event link-status
logging event trunk-status
logging event bundle-status
switchport mode trunk
ip dhcp snooping trust
service-policy output OUT-QUEUEING
!
!
spanning-tree mode pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
banner exec +
################################################################
* Connected to ${esc.d}(hostname).${esc.d}(domain)
* Use of this system constitutes your consent to monitoring.
################################################################
+
banner motd +
|------------------------------------------------------------------------|
| This system is for the use of authorized users only. |
| Individuals using this computer system without authority, |
| or in excess of their authority,are subject to having all |
| of their activities on this system monitored and recorded by |
| system personnel. In the course of monitoring individuals |
| improperly using this system, or in the course of system maintenance, |
| the activities of authorized users may also be monitored. |
| Anyone using this system expressly consents to such monitoring |
| and is advised that if such monitoring reveals possible evidence |
| of criminal activity, system personnel may provide the evidence of |
| such monitoring to law enforcement officials. |
|------------------------------------------------------------------------|
| | SITE: ${LOCATION_ID}
||| ||| LOCATION: ${SNMP_LOCATION_NAME}
||||| |||||| SWITCH TYPE: ${SWITCH_TYPE}
||||||||| ||||||||| NAME: $(hostname)
||||||||||||||||||||||||||| COUNTRY: ${COUNTRY}
C I S C O - S Y S T E M S
+
!
!
! EEM SCRIPT
!
event manager session cli username xxxxxxxx privilege 15
event manager applet POST_PNP
event timer countdown time 90
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 2.0 cli command "aaa authorization config-commands"
action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"
action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"
action 2.3 cli command "no event manager applet POST_PNP"
action 2.4 cli command "end"
action 2.5 cli command "wr mem"
action 3.0 cli command "end"
!
And I have tried to add this in instead :
!
! EEM SCRIPT
!
event manager session cli username xxxxxxxxx privilege 15
event manager applet POST_PNP
event timer countdown time 90
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 2.0 cli command "aaa authorization config-commands"
action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"
action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"
action 2.3 cli command "aaa authentication login default group TACACS-ISE local"
action 2.4 cli command "aaa authorization exec default group TACACS-ISE local"
action 2.5 cli command "no event manager applet POST_PNP"
action 2.6 cli command "end"
action 2.7 cli command "wr mem"
action 3.0 cli command "end"
And have the 2.3 and 2.4 line removed from the configuration, but still hitting the same error.
Hehe Point to my self, that I just need to past my configuration in here first. would save of some time on this matter
can you give more info here on what you mean for this matter??
So a command end without actoin 3.0 cli command or??
