Solved: DNAC Device Provisioning and Template deployment for 802.1x

alex.f. · ‎07-02-2023

Hi,

I am new with DNA Center and ISE.

We have a NON-SDA Network which is to be changed over to 802.1x.

Some Switches are already configured with RADIUS and TACACS and some don't have any AAA Configuration jet so I tried the following Steps to get these Devices into ISE and NAC.

All Switches have a local DNA User called (dna) and a local Admin User called (admin) !

1.

Design / Network Profiles / 802.1X_BasicConfig

- add Site "CITY_STORE_SWITCH02" to Profile 802.1X_BasicConfig

(Profile 802.1X_BasicConfig holds the Template "802.1X_BaseConf" shown below)

2.
Design / Network Settings / CITY / STORE_SW02
- Adding AAA Server for Client/Endpoint and Radius (if not already set)
ISE x.x.x.x Radius y.y.y.a y.y.y.b

3.

Network Devices / Inventor / Provision Devices

- select Switch

- check the Template "802.1X_BaseConf"

- Advanced Configuration ->

(Is this relevant for me because I have a local admin user on the device?)

"WARNING: Do not use "admin" as the username for your device CLI credentials, if you are using ISE as your AAA server. If you do, this can result in you not being able to login

to your devices."

Deployment of Switches mostly Failed with errors like:

Configuration on the device failed. Error message - NCNP10200: Authentication failure while connecting to device x.x.x.x using protocol ssh2.

Failed to update Wired Endpoint Data Collection configuration on device: x.x.x.x

Error occurred in ExecuteOnDeviceMessageHandler of NP: Failed to establish ssh2 connection to device- Cause: Authentication failed on device. Update the Device credentials and retry the task.

failed with exception: Authentication failure while connecting to device x.x.x. using protocol ssh2. ROLLBACK FAILED for Unable to push configuration to device ip x.x.x.x.

Provisioning failed for the template IOS Banner Template.
Message: Authentication failure while connecting to device x.x.x.x using protocol ssh2

How do I get all switches with a clean AAA configuration status provisioned from the DNA Center and additionally transfer the new/correct AAA credentials to ISE?

alex.f. · ‎07-07-2023

I checked the Design / Network Settings for the Site and put all changes back to the former settings.

(in my case uncheck "Client/Endpoint" and changed back the second IP Address of AAA Network ISE TACACS)

Now the deployment works without any errors.

Next Step to activate the AAA "Client/Endpoint" for ISE with RADIUS. And this deployment works too.

Last Step to add the Site to my Template "802.1X_BaseConf" and this works as well.

View solution in original post

Flavio Miranda · ‎07-02-2023

Hi

"Configuration on the device failed. Error message - NCNP10200: Authentication failure while connecting to device x.x.x.x using protocol ssh2."

If you access the DNAC on the CLI and send a SSH request to switch using the user dna, do you succeed?

alex.f. · ‎07-02-2023

hi @Flavio Miranda , I can't test this because I lack the rights. I am unable to access the DNA Center via SSH with my Account (or the ADM Creds that are available to me).

What should be the outcome of this test?

Flavio Miranda · ‎07-03-2023

You should be ablee to test tbe ssh credentials.

The username DNA on the device have privilege 15?

alex.f. · ‎07-03-2023

I can connect from my host to the Switch with the local DNA Account.

But is the local account also the one used by the DNAC to connect to the switch?

Flavio Miranda · ‎07-03-2023

When you discovered the device, which credential did you use?

It will use that credential.

alex.f. · ‎07-03-2023

I did some debug tacacs on the switch and get this.

So, the DNA_USER Cred are wrong.

======================
NOT Working TACACS Debug
======================

xy:50:46.456: T+: Version 192 (0xC0), type 1, seq 1, encryption 1, SC 0
xy:50:46.456: T+: session_id 2324268633 (0x8A898659), dlen 29 (0x1D)
xy:50:46.456: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
xy:50:46.456: T+: svc:LOGIN user_len:6 port_len:4 (0x4) raddr_len:11 (0xB) data_len:0
xy:50:46.456: T+: user: [DNA_USER]
xy:50:46.456: T+: port: tty1
xy:50:46.456: T+: rem_addr: 10.x.x.y [DNAC]
xy:50:46.456: T+: data:
xy:50:46.456: T+: End Packet
xy:50:46.456: TPLUS(0000603C)/0/NB_WAIT: wrote entire 41 bytes request
xy:50:46.456: TPLUS(0000603C)/0/READ: socket event 1
xy:50:46.456: TPLUS(0000603C)/0/READ: Would block while reading
xy:50:47.127: TPLUS(0000603C)/0/READ: socket event 1
xy:50:47.127: TPLUS(0000603C)/0/READ: read entire 12 header bytes (expect 15 bytes data)
xy:50:47.141: TPLUS(0000603C)/0/READ: socket event 1
xy:50:47.141: TPLUS(0000603C)/0/READ: read entire 27 bytes response
xy:50:47.141: T+: Version 192 (0xC0), type 1, seq 2, encryption 1, SC 0
xy:50:47.141: T+: session_id 2324268633 (0x8A898659), dlen 15 (0xF)
xy:50:47.144: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:9, data_len:0
xy:50:47.144: T+: msg: Password:
xy:50:47.144: T+: data:
xy:50:47.144: T+: End Packet
xy:50:47.144: TPLUS(0000603C) login timer stopped
xy:50:47.144: TPLUS(0000603C)/0/8A27E2C: Processing the reply packet
xy:50:47.144: TPLUS: Received authen response status GET_PASSWORD (8)
xy:50:47.144: TPLUS(0000603C)/0/None: Started 120 sec timeout
xy:50:47.144: TPLUS: Queuing AAA Authentication request 24636 for processing
xy:50:47.144: TPLUS(0000603C) login timer started 1020 sec timeout
xy:50:47.144: TPLUS: processing authentication continue request id 24636
xy:50:47.144: TPLUS: Authentication continue packet generated for 24636
xy:50:47.144: TPLUS(0000603C)/0/None: Timer Stoped
xy:50:47.144: TPLUS(0000603C)/0/WRITE/86B7648: Started 4 sec timeout
xy:50:47.144: T+: Version 192 (0xC0), type 1, seq 3, encryption 1, SC 0
xy:50:47.144: T+: session_id 2324268633 (0x8A898659), dlen 15 (0xF)
xy:50:47.144: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
xy:50:47.144: T+: User msg: <elided>
xy:50:47.144: T+: User data:
xy:50:47.144: T+: End Packet
xy:50:47.144: TPLUS(0000603C)/0/WRITE: wrote entire 27 bytes request
xy:50:47.501: TPLUS(0000603C)/0/READ: socket event 1
xy:50:47.501: TPLUS(0000603C)/0/READ: read entire 12 header bytes (expect 6 bytes data)
xy:50:47.518: TPLUS(0000603C)/0/READ: socket event 1
xy:50:47.518: TPLUS(0000603C)/0/READ: read entire 18 bytes response
xy:50:47.518: T+: Version 192 (0xC0), type 1, seq 4, encryption 1, SC 0
xy:50:47.518: T+: session_id 2324268633 (0x8A898659), dlen 6 (0x6)
xy:50:47.518: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
xy:50:47.518: T+: msg:
xy:50:47.518: T+: data:
xy:50:47.518: T+: End Packet
xy:50:47.518: TPLUS(0000603C) login timer stopped
xy:50:47.518: TPLUS(0000603C)/0/86B7648: Processing the reply packet
xy:50:47.518: TPLUS: Received authen response status FAIL (3)
xy:50:47.518: TPLUS: Invalid Client information received as input
xy:50:49.538: TPLUS: Queuing AAA Authentication request 24636 for processing
xy:50:49.538: TPLUS(0000603C) login timer started 1020 sec timeout
xy:50:49.538: TPLUS: processing authentication start request id 24636
xy:50:49.538: TPLUS: Authentication start packet created for 24636([DNA_USER])
xy:50:49.538: TPLUS: Using server [y.y.y.y DNA_CENTER_IP_ADD]
xy:50:49.538: TPLUS(0000603C)/0/NB_WAIT/86B7648: Started 4 sec timeout
xy:50:49.559: TPLUS(0000603C)/0/NB_WAIT: socket event 2
xy:50:49.559: T+: Version 192 (0xC0), type 1, seq 1, encryption 1, SC 0
xy:50:49.559: T+: session_id 3431657551 (0xCC8AF04F), dlen 29 (0x1D)
xy:50:49.559: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
xy:50:49.559: T+: svc:LOGIN user_len:6 port_len:4 (0x4) raddr_len:11 (0xB) data_len:0
xy:50:49.559: T+: user: [DNA_USER]
xy:50:49.559: T+: port: tty1
xy:50:49.559: T+: rem_addr: 10.x.x.y [DNAC]
xy:50:49.559: T+: data:
xy:50:49.559: T+: End Packet
xy:50:49.559: TPLUS(0000603C)/0/NB_WAIT: wrote entire 41 bytes request
xy:50:49.559: TPLUS(0000603C)/0/READ: socket event 1
xy:50:49.559: TPLUS(0000603C)/0/READ: Would block while reading
xy:50:50.084: TPLUS(0000603C)/0/READ: socket event 1
xy:50:50.084: TPLUS(0000603C)/0/READ: read entire 12 header bytes (expect 15 bytes data)
xy:50:50.101: TPLUS(0000603C)/0/READ: socket event 1
xy:50:50.101: TPLUS(0000603C)/0/READ: read entire 27 bytes response
xy:50:50.101: T+: Version 192 (0xC0), type 1, seq 2, encryption 1, SC 0
xy:50:50.101: T+: session_id 3431657551 (0xCC8AF04F), dlen 15 (0xF)
xy:50:50.101: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:9, data_len:0
xy:50:50.101: T+: msg: Password:
xy:50:50.101: T+: data:
xy:50:50.101: T+: End Packet
xy:50:50.101: TPLUS(0000603C) login timer stopped
xy:50:50.105: TPLUS(0000603C)/0/86B7648: Processing the reply packet
xy:50:50.105: TPLUS: Received authen response status GET_PASSWORD (8)
xy:50:50.105: TPLUS(0000603C)/0/None: Started 120 sec timeout
xy:50:50.905: TPLUS: Queuing AAA Authentication request 24636 for processing
xy:50:50.916: TPLUS(0000603C) login timer started 1020 sec timeout
xy:50:50.916: TPLUS: processing authentication continue request id 24636
xy:50:50.916: TPLUS: Authentication continue packet generated for 24636
xy:50:50.916: TPLUS(0000603C)/0/None: Timer Stoped
xy:50:50.916: TPLUS(0000603C)/0/WRITE/8A19BD8: Started 4 sec timeout
xy:50:50.916: T+: Version 192 (0xC0), type 1, seq 3, encryption 1, SC 0
xy:50:50.916: T+: session_id 3431657551 (0xCC8AF04F), dlen 15 (0xF)
xy:50:50.916: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
xy:50:50.916: T+: User msg: <elided>
xy:50:50.916: T+: User data:
xy:50:50.916: T+: End Packet

======================
Working TACACS Debug
======================

xy:56:04.195: TPLUS: Queuing AAA Authentication request 20746 for processing
xy:56:04.195: TPLUS(0000510A) login timer started 1020 sec timeout
xy:56:04.195: TPLUS: processing authentication start request id 20746
xy:56:04.195: TPLUS: Authentication start packet created for 20746([DNA_USER])
xy:56:04.195: TPLUS: Using server [y.y.y.y DNA_CENTER_IP_ADD]
xy:56:04.198: TPLUS(0000510A)/0/NB_WAIT/8CC070C: Started 4 sec timeout
xy:56:04.212: TPLUS(0000510A)/0/NB_WAIT: socket event 2
xy:56:04.212: T+: Version 192 (0xC0), type 1, seq 1, encryption 1, SC 0
xy:56:04.212: T+: session_id 2232309149 (0x850E559D), dlen 31 (0x1F)
xy:56:04.212: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
xy:56:04.212: T+: svc:LOGIN user_len:7 port_len:4 (0x4) raddr_len:12 (0xC) data_len:0
xy:56:04.212: T+: user: [DNA_USER]
xy:56:04.212: T+: port: tty2
xy:56:04.212: T+: rem_addr: [MY_CLIENT_IP_ADD]
xy:56:04.212: T+: data:
xy:56:04.212: T+: End Packet
xy:56:04.212: TPLUS(0000510A)/0/NB_WAIT: wrote entire 43 bytes request
xy:56:04.212: TPLUS(0000510A)/0/READ: socket event 1
xy:56:04.212: TPLUS(0000510A)/0/READ: Would block while reading
xy:56:04.237: TPLUS(0000510A)/0/READ: socket event 1
xy:56:04.237: TPLUS(0000510A)/0/READ: read entire 12 header bytes (expect 15 bytes data)
xy:56:04.237: TPLUS(0000510A)/0/READ: socket event 1
xy:56:04.237: TPLUS(0000510A)/0/READ: read entire 27 bytes response
xy:56:04.237: T+: Version 192 (0xC0), type 1, seq 2, encryption 1, SC 0
xy:56:04.237: T+: session_id 2232309149 (0x850E559D), dlen 15 (0xF)
xy:56:04.237: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:9, data_len:0
xy:56:04.237: T+: msg: Password:
xy:56:04.237: T+: data:
xy:56:04.237: T+: End Packet
xy:56:04.237: TPLUS(0000510A) login timer stopped
xy:56:04.237: TPLUS(0000510A)/0/8CC070C: Processing the reply packet
xy:56:04.237: TPLUS: Received authen response status GET_PASSWORD (8)
xy:56:04.237: TPLUS(0000510A)/0/None: Started 120 sec timeout
xy:56:10.490: TPLUS: Queuing AAA Authentication request 20746 for processing
xy:56:10.490: TPLUS(0000510A) login timer started 1020 sec timeout
xy:56:10.490: TPLUS: processing authentication continue request id 20746
xy:56:10.490: TPLUS: Authentication continue packet generated for 20746
xy:56:10.490: TPLUS(0000510A)/0/None: Timer Stoped
xy:56:10.490: TPLUS(0000510A)/0/WRITE/5782DB8: Started 4 sec timeout
xy:56:10.490: T+: Version 192 (0xC0), type 1, seq 3, encryption 1, SC 0
xy:56:10.490: T+: session_id 2232309149 (0x850E559D), dlen 37 (0x25)
xy:56:10.490: T+: AUTHEN/CONT msg_len:32 (0x20), data_len:0 (0x0) flags:0x0
xy:56:10.490: T+: User msg: <elided>
xy:56:10.490: T+: User data:
xy:56:10.490: T+: End Packet
xy:56:10.493: TPLUS(0000510A)/0/WRITE: wrote entire 49 bytes request
xy:56:10.528: TPLUS(0000510A)/0/READ: socket event 1
xy:56:10.528: TPLUS(0000510A)/0/READ: read entire 12 header bytes (expect 6 bytes data)
xy:56:10.528: TPLUS(0000510A)/0/READ: socket event 1
xy:56:10.528: TPLUS(0000510A)/0/READ: read entire 18 bytes response
xy:56:10.528: T+: Version 192 (0xC0), type 1, seq 4, encryption 1, SC 0
xy:56:10.528: T+: session_id 2232309149 (0x850E559D), dlen 6 (0x6)
xy:56:10.528: T+: AUTHEN/REPLY status:1 flags:0x0 msg_len:0, data_len:0
xy:56:10.528: T+: msg:
xy:56:10.528: T+: data:
xy:56:10.528: T+: End Packet
xy:56:10.528: TPLUS(0000510A) login timer stopped
xy:56:10.528: TPLUS(0000510A)/0/5782DB8: Processing the reply packet
xy:56:10.528: TPLUS: Received authen response status PASS (2)
xy:56:10.528: TPLUS: Invalid Client information received as input
xy:56:10.570: TPLUS: Queuing AAA Authorization request 20746 for processing
xy:56:10.570: TPLUS(0000510A) login timer started 1020 sec timeout
xy:56:10.570: TPLUS: processing authorization request id 20746
xy:56:10.570: TPLUS: Protocol set to None .....Skipping
xy:56:10.570: TPLUS: Sending AV service=shell
xy:56:10.570: TPLUS: Sending AV cmd*
xy:56:10.570: TPLUS: Authorization request created for 20746([DNA_USER])
xy:56:10.570: TPLUS: using previously set server 10.x.x.y [DNAC] from group [DNAC_GROUP_TACACS]
xy:56:10.570: TPLUS(0000510A)/0/NB_WAIT/8E78ADC: Started 4 sec timeout
xy:56:10.584: TPLUS(0000510A)/0/NB_WAIT: socket event 2
xy:56:10.588: T+: Version 192 (0xC0), type 2, seq 1, encryption 1, SC 0
xy:56:10.588: T+: session_id 529727033 (0x1F92FE39), dlen 50 (0x32)
xy:56:10.588: T+: AUTHOR, priv_lvl:1, authen:1 method:tacacs+
xy:56:10.588: T+: svc:1 user_len:7 port_len:4 rem_addr_len:12 arg_cnt:2
xy:56:10.588: T+: user: [DNA_USER]
xy:56:10.588: T+: port: tty2
xy:56:10.588: T+: rem_addr: [MY_CLIENT_IP_ADD]
xy:56:10.588: T+: arg[0]: size:13 service=shell
xy:56:10.588: T+: arg[1]: size:4 cmd*
xy:56:10.588: T+: End Packet
xy:56:10.588: TPLUS(0000510A)/0/NB_WAIT: wrote entire 62 bytes request
xy:56:10.588: TPLUS(0000510A)/0/READ: socket event 1
xy:56:10.588: TPLUS(0000510A)/0/READ: Would block while reading
xy:56:10.616: TPLUS(0000510A)/0/READ: socket event 1
xy:56:10.616: TPLUS(0000510A)/0/READ: read entire 12 header bytes (expect 18 bytes data)
xy:56:10.616: TPLUS(0000510A)/0/READ: socket event 1
xy:56:10.616: TPLUS(0000510A)/0/READ: read entire 30 bytes response
xy:56:10.616: T+: Version 192 (0xC0), type 2, seq 2, encryption 1, SC 0
xy:56:10.616: T+: session_id 529727033 (0x1F92FE39), dlen 18 (0x12)
xy:56:10.616: T+: AUTHOR/REPLY status:1 msg_len:0, data_len:0 arg_cnt:1
xy:56:10.616: T+: msg:
xy:56:10.616: T+: data:
xy:56:10.616: T+: arg[0] size:11
xy:56:10.616: T+: priv-lvl=15
xy:56:10.616: T+: End Packet
xy:56:10.616: TPLUS(0000510A) login timer stopped
xy:56:10.616: TPLUS(0000510A)/0/8E78ADC: Processing the reply packet
xy:56:10.616: TPLUS: Processed AV priv-lvl=15
xy:56:10.616: TPLUS: received authorization response for 20746: PASS
xy:56:10.616: TPLUS: Invalid Client information received as input
xy:56:10.633: T+: Version 192 (0xC0), type 3, seq 1, encryption 1, SC 0
xy:56:10.637: T+: session_id 4150412035 (0xF7624303), dlen 96 (0x60)
xy:56:10.637: T+: ACCT, flags:0x2 method:6 priv_lvl:15
xy:56:10.637: T+: type:1 svc:1 user_len:7 port_len:4 rem_addr_len:12
xy:56:10.637: T+: arg_cnt:4
xy:56:10.637: T+: user: [DNA_USER]
xy:56:10.637: T+: port: tty2
xy:56:10.637: T+: rem_addr: [MY_CLIENT_IP_ADD]
xy:56:10.637: T+: arg[0]: size:13 task_id=20736
xy:56:10.637: T+: arg[1]: size:13 timezone=CEST
xy:56:10.637: T+: arg[2]: size:13 service=shell
xy:56:10.637: T+: arg[3]: size:21 start_time=1688399770
xy:56:10.637: T+: End Packet
xy:56:10.654: T+: Version 192 (0xC0), type 3, seq 2, encryption 1, SC 0
xy:56:10.654: T+: session_id 4150412035 (0xF7624303), dlen 5 (0x5)
xy:56:10.654: T+: ACCT/REPLY status:1 msg_len:0 data_len:0
xy:56:10.654: T+: msg:
xy:56:10.654: T+: data:
xy:56:10.654: T+: End Packet
xy:56:10.654: TPLUS: Invalid Client information received as input

alex.f. · ‎07-07-2023

@Flavio Miranda

I did a "Credentials Validate" and got an Error. So I updated the CLI credentials with the "Select global credential".

Now the "Credentials Validate" is green for CLI and SNMP but deployment without any Templates failed with the error below.

========= ERROR =========

Conversion from network intent to device intent and deployment of configuration FAILED

Jul 7, 2023
Successfully acquired device lock in rfs flow
Jul 7, 2023
Deploying configuration on the device ABC-XY-SIDE.DOMAIN.COM (X.X.X.X).
Jul 7, 2023
Configured operation will be to Add AAA Authentication Mode Configuration, Add Password Encryption Configuration, Add DNS Configuration, Remove AAA Configuration, Add AAA Configuration, Add HTTP / HTTPS Server Configuration, Add ACL Configuration and Remove DNS Configuration.
Jul 7, 2023
Configuration on the device failed. Error message - Unable to push configuration to device X.X.X.X.