cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1162
Views
11
Helpful
17
Replies
Frank Osberg
Enthusiast

C3560cx provisioning from APIC PNP fails

Hi all,

I am having a small issue... When I try to provisioning my C3560CX model running software version

Switch Ports Model                 SW Version        SW Image
------ ----- -----                 ----------        ----------
*1 12WS-C3560CX-8PC-S      15.2(4)E4         C3560CX-UNIVERSALK9-M

I am getting this error:

Received response from pnp agent for message correlatorId: CiscoPnP-1.0-50-370-B44C140-47 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed

I can see when I google that some are referring to other software version, but also that I could be something with aaa methode.

Here I am using :

aaa authentication login default group TACACS-ISE local

aaa authorization config-commands

aaa authorization exec default group TACACS-ISE local

aaa authorization commands 1 default group TACACS-ISE if-authenticated

aaa authorization commands 15 default group TACACS-ISE if-authenticated

and the group is containing my TACACS servers.

Anybody that has some info on how to fix this??

I have also tried to run the aaa with a EM script like this:

! EEM SCRIPT

!

event manager applet POST_PNP

event timer countdown time 90

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 2.0 cli command "aaa authorization config-commands"

action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"

action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"

action 2.3 cli command "no event manager applet POST_PNP"

action 2.4 cli command "end"

action 2.5 cli command "wr mem"

action 3.0 cli command "end"

but that don´t change anything here.

Hope somebody might can give me some direction on this matter.

Frank

1 ACCEPTED SOLUTION

Accepted Solutions

Ok... I think i see the problem!!

I have seen this before.  Can you change the EEM timeout to 180 seconds.

You are switching over the management interface.  Sometimes it takes longer than 90seconds to finish the PnP process, and the EEM script is firing too early. 

Adam

View solution in original post

17 REPLIES 17
aradford
Cisco Employee

yes, this is a know issue as when you turn on command authorisation, the PnP process no longer has permission to complete the configuration.

You need to remove the authourisation commands from the config file, and move them into the EEM script (also contained in the config file).

the EEM script will fire 90 seconds after the pnp process completes, thus allowing you to keep the command authorisation CLI.

aradford, so you want all aaa commands in the EEM script^??

I just noticed this for software release 15.2(6)E1 which is the latest and greatest.

Features Introduced in Cisco IOS Release 15.2(6)E1

  • AAA command authorization is supported in Plug-n-Play (PnP) Agent: The PnP agent is enhanced to use credentials passed from the PnP server for TACACS or RADIUS authorization to complete PnP provisioning successfully.

So a upgrade might help here.

Yes, that is the other approach.

Alright I am getting some other issue after upgrading to 15.2.6(E1) it will not go into unclaim in my APIC, so I tried to modfiy my EEM script to this

event manager applet POST_PNP

event timer countdown time 90

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 2.0 cli command "aaa authorization config-commands"

action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"

action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"

action 2.3 cli command "aaa authentication login default group TACACS-ISE local"

action 2.4 cli command "aaa authorization exec default group TACACS-ISE local"

action 2.5 cli command "no event manager applet POST_PNP"

action 2.6 cli command "end"

action 2.7 cli command "wr mem"

action 3.0 cli command "end"

!

But this still not work for my devivices.

Stil getting this error:

2018-06-25 10:33:45 (Romance Daylight Time)Received response from pnp agent for message correlatorId: CiscoPnP-1.0-20-466-B0DE004-20 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed

So how can I get this fixed. Is there something wrong in my EEM script or??

Hi,

This error is not due to your EEM script. That should fire after the PnP process completes.

Are you sure you removed all of the "aaa authorisation" commands from the initial configuration that was pushed?

Hi araford,

Year a 100% that there is no AAA auth in my config.

But I found out that if I leave these two commands out

aaa authorization commands 1 default group TACACS-ISE if-authenticated

aaa authorization commands 15 default group TACACS-ISE if-authenticated

I can have the rest in my "normal" configuration, then I just need to past in the 2 lines afterwords.

Here is my configuration that I normal use:

!Version 2.0

!

!

no service pad

service nagle

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime localtime year

service password-encryption

!

logging buffered 100000 warnings

no logging console

no logging monitor

logging source-interface vlan 1

!

hostname ${LOCATION_ID}${SWITCH_TYPE}-${SWITCHTEXT}

!

!

errdisable recovery cause all

!

!

vlan 10

name VoIP

!

vlan 20

name PRODUCTION

!

!

ip default-gateway 10.${DG_OKTET_IP_2}.${DG_OKTET_IP_3}.1

!

lldp run

!

udld enable

!

!

ip dhcp snooping vlan 1,10,20

ip dhcp snooping information option format remote-id hostname

no ip dhcp snooping information option

ip dhcp snooping database flash:/snooping.txt

ip dhcp snooping

!

mls qos map policed-dscp  0 10 18 24 46 to 8

mls qos map cos-dscp 0 8 16 26 34 46 48 56

mls qos srr-queue output cos-map queue 1 threshold 3 4 5

mls qos srr-queue output cos-map queue 2 threshold 1 2

mls qos srr-queue output cos-map queue 2 threshold 2 3

mls qos srr-queue output cos-map queue 2 threshold 3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3 0

mls qos srr-queue output cos-map queue 4 threshold 3 1

mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45

mls qos srr-queue output dscp-map queue 1 threshold 3 46 47

mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35

mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39

mls qos srr-queue output dscp-map queue 2 threshold 2 24

mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7

mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15

mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14

mls qos queue-set output 1 threshold 1 100 100 50 200

mls qos queue-set output 1 threshold 2 125 125 100 400

mls qos queue-set output 1 threshold 3 100 100 100 400

mls qos queue-set output 1 threshold 4 60 150 50 200

mls qos queue-set output 1 buffers 15 25 40 20

mls qos

!

class-map match-all AUTOQOS_VOIP_DATA_CLASS

match ip dscp ef

class-map match-all AUTOQOS_DEFAULT_CLASS

match access-group name AUTOQOS-ACL-DEFAULT

class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS

match ip dscp cs3

!

class-map match-all IN-VOICE-SIG

match ip dscp cs3

class-map match-all IN-MULTIMEDIA-CONFERENCING

match ip dscp cs4  af41

class-map match-all OUT-CITRIX-OUT-VOICE-SIG

match ip dscp af31

class-map match-all OUT-VOICE

match ip dscp ef

class-map match-all IN-CITRIX

match access-group name IN-CITRIX

class-map match-all IN-VOICE

match ip dscp ef

!

!

policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY

class AUTOQOS_VOIP_DATA_CLASS

  set dscp ef

  police 128000 8000 exceed-action policed-dscp-transmit

class AUTOQOS_VOIP_SIGNAL_CLASS

  set dscp cs3

  police 32000 8000 exceed-action policed-dscp-transmit

class AUTOQOS_DEFAULT_CLASS

  police 10000000 8000 exceed-action policed-dscp-transmit

  trust dscp

!

policy-map IN-MARKING

class IN-VOICE

  set dscp ef

class IN-MULTIMEDIA-CONFERENCING

  set dscp af41

class IN-CITRIX

  set dscp af31

class IN-VOICE-SIG

  set dscp af31

class class-default

  set dscp default

!

!

crypto key generate rsa general-keys label SSH modulus 2048

ip ssh rsa keypair-name SSH

ip ssh version 2

!

line con 0

session-timeout 10

exec-timeout 10

logging synchronous

!

line vty 0 15

session-timeout 120

access-class 12 in

exec-timeout 120 0

transport preferred none

transport input ssh

!

!

no ip http server

no ip http secure-server

!

!

access-list 10 remark # CISCO PRIME #

access-list 10 permit 10.xxx.xxx.xxx

access-list 10 remark # CISCO APIC #

access-list 10 permit 10.xxx.xxx.xxx

access-list 10 remark # SOLARWWINDS #

access-list 10 permit 10.xxx.xxx.xxx

access-list 10 remark # JUMPSTATION WINDOWS #

access-list 10 permit 10.xxx.xxx.xxx

access-list 11 remark # CISCO PRIME #

access-list 11 permit 10.xxx.xxx.xxx

access-list 11 remark # CISCO APIC #

access-list 11 permit 10.xxx.xxx.xxx

access-list 11 remark # SOLARWWINDS #

access-list 11 permit 10.xxx.xxx.xxx

access-list 11 remark # JUMPSTATION WINDOWS #

access-list 11 permit 10.xxx.xxx.xxx

!

access-list 12 remark # CISCO PRIME #

access-list 12 permit 10.xxx.xxx.xxx

access-list 12 remark # CISCO APIC #

access-list 12 permit 10.xxx.xxx.xxx

access-list 12 remark # CISCO ANYCONNECT #

access-list 12 permit 10.xxx.xxx.xxx

access-list 12 remark # SOLARWWINDS #

access-list 12 permit 10.xxx.xxx.xxx

access-list 12 remark # SOLAR OFFICE #

access-list 12 permit 10.xxx.xxx.xxx

access-list 12 remark # JUMPSTATION WINDOWS #

access-list 12 permit 10.xxx.xxx.xxx

!

ip access-list standard 13

deny any

ip access-list standard 14

permit 10.xxx.xxx.xxx

permit 10.xxx.xxx.xxx

permit 10.xxx.xxx.xxx

permit 10.xxx.xxx.xxx

!

ip access-list extended IN-CITRIX

permit tcp any any eq 1494

permit tcp any any eq 2598

!

aaa new-model

!

aaa group server tacacs+ TACACS-ISE

server name piseadms001.solar.eu

server name piseadms002.solar.eu

!

aaa authentication login default group TACACS-ISE local

aaa authorization exec default group TACACS-ISE local

!

aaa session-id common

!

!

ip domain-lookup

ip domain-name xxxxxxxx.com

ip name-server 10.xxx.xxx.xxx

ip name-server 10.xxx.xxx.xxx

ip name-server 10.xxx.xxx.xxx

!

!

vtp mode transparent

vtp domain xxxxxxxx.com

!

!

!

tacacs server piseadms001.solar.eu

address ipv4 10.xxx.xxx.xxx

key 7

tacacs server piseadms002.solar.eu

address ipv4 10.xxx.xxx.xxx

key 7

!

username xxxxxxxx privilege 15 secret

!

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

interface vlan 1

ip address 10.${VLAN_OKTET_IP_2}.${VLAN_OKTET_IP_3}.${VLAN_OKTET_IP_4} 255.255.240.0

no shutdown

!

!

snmp-server community antigoon RO 10

snmp-server community antigoon RW 11

snmp-server ifindex persist

snmp-server location ${SNMP_LOCATION_NAME}

snmp-server contact 5x5

!

ntp server 10.xxx.xxx.xxx

ntp server 10.xxx.xxx.xxx

ntp server 10.xxx.xxx.xxx

ntp server 10.xxx.xxx.xxx

!

!

ntp access-group serve 13

ntp access-group peer 14

!

!

!

interface range gig0/1-8

description OFFICE

switchport mode access

switchport voice vlan 10

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input IN-MARKING

!

!

interface range GigabitEthernet0/9-10

description UPLINK

logging event link-status

logging event trunk-status

logging event bundle-status

switchport mode trunk

ip dhcp snooping trust

service-policy output OUT-QUEUEING

!

!

spanning-tree mode pvst

spanning-tree portfast bpduguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

banner exec +

################################################################

* Connected to ${esc.d}(hostname).${esc.d}(domain)                   

* Use of this system constitutes your consent to monitoring.

################################################################

+

banner motd +

|------------------------------------------------------------------------|

| This system is for the use of authorized users only.                   |

| Individuals using this computer system without authority,              |

| or in excess of their authority,are subject to having all              |

| of their activities on this system monitored and recorded by           |

| system personnel. In the course of monitoring individuals              |

| improperly using this system, or in the course of system maintenance,  |

| the activities of authorized users may also be monitored.              |

| Anyone using this system expressly consents to such monitoring         |

| and is advised that if such monitoring reveals possible evidence       |

| of criminal activity, system personnel may provide the evidence of     |

| such monitoring to law enforcement officials.                          |

|------------------------------------------------------------------------|

       |           |            SITE: ${LOCATION_ID}

      |||         |||           LOCATION: ${SNMP_LOCATION_NAME}

     |||||      ||||||          SWITCH TYPE: ${SWITCH_TYPE}

   |||||||||   |||||||||        NAME: $(hostname)

|||||||||||||||||||||||||||     COUNTRY: ${COUNTRY}

C I S C O  -  S Y S T E M S

+

!

!

! EEM SCRIPT

!

event manager session cli username xxxxxxxx privilege 15

event manager applet POST_PNP

event timer countdown time 90

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 2.0 cli command "aaa authorization config-commands"

action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"

action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"

action 2.3 cli command "no event manager applet POST_PNP"

action 2.4 cli command "end"

action 2.5 cli command "wr mem"

action 3.0 cli command "end"

!

And I have tried to add this in instead :

!

! EEM SCRIPT

!

event manager session cli username xxxxxxxxx privilege 15

event manager applet POST_PNP

event timer countdown time 90

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 2.0 cli command "aaa authorization config-commands"

action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"

action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"

action 2.3 cli command "aaa authentication login default group TACACS-ISE local"

action 2.4 cli command "aaa authorization exec default group TACACS-ISE local"

action 2.5 cli command "no event manager applet POST_PNP"

action 2.6 cli command "end"

action 2.7 cli command "wr mem"

action 3.0 cli command "end"

And have the 2.3 and 2.4 line removed from the configuration, but still hitting the same error.

Ok... I think i see the problem!!

I have seen this before.  Can you change the EEM timeout to 180 seconds.

You are switching over the management interface.  Sometimes it takes longer than 90seconds to finish the PnP process, and the EEM script is firing too early. 

Adam

View solution in original post

Sure let me try this.

Ahh that fixed the issue here. Thanks for your help araford.

Excellent. Thanks for your patience and letting me know.

I should have thought of this earlier but did not realize you were switching interfaces ip addresses.

Sent from my iPhone

Hehe Point to my self, that I just need to past my configuration in here first. would save of some time on this matter

Ahh I can see that the problem is not solved yet.

It´s not using my EEM script, my log tells me this

Jun 26 2018 13:06:15: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is not running; reloaded binding lease expiration times are incorrect.

Jun 26 2018 13:06:22: %AAAA-4-NOSERVER: Warning: Server piseadms001.solar.eu is not defined.

Jun 26 2018 13:06:22: %AAAA-4-NOSERVER: Warning: Server piseadms002.solar.eu is not defined.

Jun 26 2018 15:06:27: %PARSER-4-BADCFG: Unexpected end of configuration file.

Jun 26 2018 15:08:14: %DHCP_SNOOPING-4-DHCP_SNOOPING_DATABASE_FLASH_WARNING: Saving DHCP snooping bindings to flash can fill up your device causing the writes of bindings to device, to fail.

Jun 26 2018 15:08:19: %PARSER-4-BADCFG: Unexpected end of configuration file.

My EEM Script is:

!

! EEM SCRIPT

!

event manager session cli username XXXX privilege 15

event manager applet POST_PNP

event timer countdown time 180

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 2.0 cli command "aaa authorization config-commands"

action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"

action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"

action 2.3 cli command "no event manager applet POST_PNP"

action 2.4 cli command "end"

action 2.5 cli command "wr mem"

action 3.0 cli command "end"

!

those two commands are not been put into the configuration.

you need "end" as the last statement in your configuration file, after the EEM script.

can you give more info here on what you mean for this matter??

So a command end without actoin 3.0 cli command or??

Content for Community-Ad