cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1805
Views
12
Helpful
3
Replies

PnP line vty configuration

Seb Rupik
VIP Alumni
VIP Alumni

Hello again,

I am encountering an issue where line vty configuration is not correctly being pushed to the switch. My template contains the following:

!

line con 0

  login authentication NO-TACACS

  logging synchronous

!

line vty 0

  login authentication NO-TACACS

  logging synchronous

!

line vty 1 15

  session-timeout 150

  authorization commands 15 DMZ-TACACS-SERVERS

  authorization exec DMZ-TACACS-SERVERS

  logging synchronous

  login authentication DMZ-TACACS-SERVERS

  transport input ssh

!

...the generated configuration listed against the switch shows the identical configuration. However after the config is deployed, the switch running config shows:

!

line con 0

  login authentication NO-TACACS

  logging synchronous

!

line vty 0

  login authentication NO-TACACS

  logging synchronous

!

line vty 1 4

  session-timeout 150

logging synchronous

  transport input ssh

!

line vty 5 15

  session-timeout 150

  logging synchronous

  transport input ssh

!

...missing crucial AAA methods! The deployment ends in an 'error' state with the following message:

Received response from pnp agent for message correlatorId: CiscoPnP-1.0-15-324-EBF7F68-13 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed


I assume this is because APIC-EM can not log into the switch with the AAA TACACS credentials used as part of the build process?

FYI 'line vty 0'  is given different configuration as I can see via 'sh users' that it is used by the PnP process so thought I should not apply the TACACS AAA methods to it.

Is there any log file buried within APIC-EM which would show me why only some of the config is being applied?

cheers,

Seb.

3 Replies 3

aradford
Cisco Employee
Cisco Employee

Hi Seb,

this is an issue with the way the pnp agent on the device handles the "aaa authorisation" commands.

There is a solution with IOS 16.3 code, however, there is also a workaround I published using an EEM script in a blog post.

Network Automation with Plug and Play (PnP) – Part 7

In your case, you should add the VTY aaa commands to the EEM script too.

Adam

Hi Adam,

You're certainly the guy with all the answers. This deployment is for a 3560CX so will give the EEM script a try. Do you know if there will be a fix for switches that can't run code higher that 15.x ?

Thanks again,

Seb.

Some answers... :-)

From release notes:

AAA device credential support. The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release IOS 15.6(3)M1, IOS XE 16.3.2, or IOS XE 16.4 or later on the device.


Let me know how the EEM script goes.


Adam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


This community is intended for developer topics around Data Center technology and products. If you are looking for a non-developer topic about Data Center, you might find additional information in the Data Center and Cloud community