cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1803
Views
10
Helpful
7
Replies

DNA Center Brownfield Provisioning

gbekmezi-DD
Level 5
Level 5

DNAC fails on provisioning brownfield devices that have TACACS configured. What is the intended/recommended workflow for using DNAC to manage brownfield switches? Should TACACS/AAA commands be removed in order to provision? This becomes problematic when there are thousands of devices being managed.

 

Thanks!

7 Replies 7

What user you are using on the CLI credentials?  This user must have total privileges.

Preston Chilcote
Cisco Employee
Cisco Employee

If you remove the AAA settings from Design->Network Settings, then you will be able to complete the provision.  You then have 2 choices for the long term:

 

1) Manage your existing AAA settings via day-N templates. 

2) Use the provision workflow to convert your brownfield AAA configs to the configs that DNA wants to see.  That should enable you to re-enable AAA management via Design->Network settings going forward.

 

But you want to avoid having AAA configs in Design Settings AND in day-N templates at the same time.

Thanks for the reply and suggestions. How would you go about using the “provision workflow to convert your brownfield AAA configs to the configs that DNA wants to see?”

Is there a way to accomplish this without removing the relevant configurations from the network devices first?
 
Thanks!

You can provision a spare device to see the aaa configs that DNA deploys. 

Thanks for the reply and suggestions. How would you go about using the “provision workflow to convert your brownfield AAA configs to the configs that DNA wants to see?”

Is there a way to accomplish this without removing the relevant configurations from the network devices first?

Thanks!

Your template can first unconfigure aaa and the reconfigure it with the same commands DNA expects (in the same template).  Or just unconfigure aaa with a template and reapply AAA in Design Settings, but that takes 2 provisions instead of just 1.

Sorry to awaken the necro-thread here. But I am running into the same issue and have a question.

If I make the template that removes our current AAA and TACACS config, than reapply the config using the commands that DNA would see if it deployed it, than moved it to a different network or something to reprovision it with a new template and with the AAA and TACACS config instead in the settings. Would this work?

Issue I have is I built ISE to default deny and all of our equipment also will block sign in with local creds if TACACS servers are reachable. And to top it off, all my VLANs are assigned via 802.1x responses and switch is has all access ports assigned to a guest VLAN by default, and if ISE is unreachable falls into a VLAN similar to guest where they lose all internal access. So having a hard time trying to figure out what configs I need to remove so I can get CCC to push the configs, not get locked out of switch, and not kill access to the machines in the switch.