Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
2
Replies

Catalyst Center Provision breaks AAA

lgalvez100
Level 1
Level 1

‎08-15-2024 01:29 PM

Good evening everyone,

I´m having an issue after provisioning some access switches through Catalyst Center. The devices are configured with AAA Radius authentication and they work fine with ISE as a radius server. However, after provisioning the switches, AAA breaks and I can no longer log in, only through the local username. I´m copying the config applied through provisioning and the commands that fix the issue. Is there any way I can get DNAC to correctly provision my devices to keep authenticating through the radius server instead of with the local user? Thanks in advance

Catalyst Center Provision AAA Config:
authentication convert-to new-style
ip radius source-interface Vlan20
aaa group server radius dnac-client-radius-group
server name dnac-radius_xxx
ip radius source-interface Vlan20
exit
aaa accounting identity default start-stop group dnac-client-radius-group
aaa accounting update newinfo periodic 2880
aaa authorization network default group dnac-client-radius-group
aaa authorization exec default local
aaa authentication login default local
aaa authentication dot1x default group dnac-client-radius-group
radius server dnac-radius_xxx
address ipv4 xxx auth-port 1812 acct-port 1813
pac key ******
retransmit 3
timeout 4
automate-tester username dummy ignore-acct-port probe-on
exit
radius-server vsa send authentication
radius-server vsa send accounting
radius-server dead-criteria time 5 tries 3
radius-server deadtime 3
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 25 access-request include
radius-server attribute 8 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
line vty 0 15
aaa server radius dynamic-author
client xxx server-key ******
exit

This fixes the issue so we can log in through RADIUS again after provisioning:
aaa authentication login default group dnac-client-radius-group local
aaa authorization exec default group dnac-client-radius-group local

 

This is the config on Catalyst Center for AAA:

lgalvez100_0-1723753702813.png

We have thoroughly checked that AAA server and it works perfectly for other devices.

Labels:
0 Helpful
2 Replies 2

Preston Chilcote
Cisco Employee
Cisco Employee

‎08-15-2024 03:54 PM

I think you just need to check the "Network" box under AAA server in the Design->Network Settings page of Cat Center. 

 

0 Helpful

Torbjørn
Spotlight
Spotlight

‎08-15-2024 11:17 PM

You need to select the "Network" box under "AAA Server" and configure the correct nodes under the "Network" field that will appear. This will make your DNAC provision the appropriate configuration for login and authorization. 

Unrelated, but it might also be a good idea to integrate ISE to your DNAC and use the "ISE" option instead of "AAA" under "Servers"

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful
Customers Also Viewed These Support Documents