Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
0
Helpful
3
Replies

DNAC PnP Configuration - Authorization failed after Update

Bothwalker
Level 1
Level 1

‎06-07-2022 11:09 PM

Hello, my 9300 Switches are configured over DNAC PnP and templates. No Fabric.

After updating my switches i am not able to login. Authorization failed.

After opening the login process, but not typing in the password, for about 5 times, i can login.

 

My config aaa config is not changed from what DNAC is configuration on my switches:

aaa authentication login default local
aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authorization exec default local
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group dnac-network-tacacs-group

line con 0
exec-timeout 0 0
stopbits 1
line vty 0 1
login authentication VTY_authen
length 0
transport preferred none
transport input all
line vty 2 4
authorization exec VTY_author
login authentication VTY_authen
transport preferred none
transport input all
line vty 5 15
authorization exec VTY_author
login authentication VTY_authen
transport preferred none
transport input all
line vty 16 31
transport input ssh

Before the update it worked like a charm. If i add authorization exec VTY_author to line vty 0 1 it works again.

But the next update, i will have the same issues again.

 

Does anyone has an idea, how i can fix it.

Logging in 5 times to a switch after an update and changing the line vty is annoying. 

1 person had this problem
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎06-08-2022 02:39 AM

Hi

 You need to change your DNAC netowok profile and provision the device again. You probably have tacacs configured on the network profile but you may not have tacacs working on the switch.  Then you need to wait for the tacacs time out, fall back to local user so that you can login.

 

0 Helpful

Bothwalker
Level 1
Level 1
In response to Flavio Miranda

‎06-08-2022 09:16 AM

Hello, hmm, i have a working tacacs configuration in my network.

my configuration is:

aaa new-model
!
!
aaa group server tacacs+ dnac-network-tacacs-group
server name dnac-tacacs_x.x.x.x
server name dnac-tacacs_x.x.x.x
!
aaa authentication login default local
aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authorization exec default local 
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated 
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group dnac-network-tacacs-group
!
aaa session-id common
!
ip tacacs source-interface Vlanx
!
tacacs server dnac-tacacs_x.x.x.x
address ipv4 x.x.x.x
key xxxxxxxx
timeout 7
tacacs server dnac-tacacs_x.x.x.x
address ipv4 x.x.x.x
key xxxxxxxx
timeout 7
!
line con 0
exec-timeout 0 0
stopbits 1
line vty 0 1
login authentication VTY_authen
length 0
transport preferred none
transport input all
line vty 2 4
authorization exec VTY_author
login authentication VTY_authen
transport preferred none
transport input all
line vty 5 15
authorization exec VTY_author
login authentication VTY_authen
transport preferred none
transport input all
line vty 16 31
transport input ssh
0 Helpful

Bothwalker
Level 1
Level 1

‎06-14-2022 02:06 AM

I made some debugging and i saw that when the login fails, the system picks

001399: Jun 14 10:39:39.851 MEST: AAA/BIND(000011BB): Bind i/f
001400: Jun 14 10:39:39.851 MEST: AAA/AUTHEN/LOGIN (000011BB): Pick method list 'VTY_authen'
001401: Jun 14 10:39:39.851 MEST: TPLUS: Queuing AAA Authentication request 4539 for processing
001402: Jun 14 10:39:39.851 MEST: TPLUS(000011BB) login timer started 1020 sec timeout
001403: Jun 14 10:39:39.851 MEST: TPLUS: processing authentication start request id 4539
001404: Jun 14 10:39:39.852 MEST: TPLUS: Authentication start packet created for 4539(x)
001405: Jun 14 10:39:39.852 MEST: TPLUS: Using server x.x.x.x
001406: Jun 14 10:39:39.852 MEST: TCB7F14A4D35280 created
001407: Jun 14 10:39:39.852 MEST: TCB7F14A4D35280 setting property TCP_NO_DELAY (0) 7F14A03605C0
001408: Jun 14 10:39:39.852 MEST: TCB7F14A4D35280 setting property TCP_VRFTABLEID (20) 7F14A0360670
001409: Jun 14 10:39:39.852 MEST: TPLUS: Source IP selected is: x.x.x.x
001410: Jun 14 10:39:39.852 MEST: tcp_uniqueport: using ephemeral max 55000
001411: Jun 14 10:39:39.852 MEST: TCP: Random local port generated 43295, network 1
001412: Jun 14 10:39:39.852 MEST: TCB7F14A4D35280 bound to x.x.x.x.43295
001413: Jun 14 10:39:39.852 MEST: TCB7F14A4D35280 setting property TCP_NONBLOCKING_WRITE (10) 7F14A0360658
001414: Jun 14 10:39:39.852 MEST: TCB7F14A4D35280 setting property TCP_NONBLOCKING_READ (14) 7F14A0360658
001415: Jun 14 10:39:39.852 MEST: Reserved port 43295 in Transport Port Agent for TCP IP type 1
001416: Jun 14 10:39:39.852 MEST: TCP: sending SYN, seq 4126387633, ack 0
001417: Jun 14 10:39:39.852 MEST: TCP0: Connection to x.x.x.x:49, advertising MSS 536
001418: Jun 14 10:39:39.852 MEST: TCP0: state was CLOSED -> SYNSENT [43295 -> x.x.x.x(49)]
001419: Jun 14 10:39:39.852 MEST: TPLUS(000011BB)/0/NB_WAIT/7F14A4620E28: Started 4 sec timeout
001420: Jun 14 10:39:39.852 MEST: TCP0: state was SYNSENT -> ESTAB [43295 -> x.x.x.x(49)]
001421: Jun 14 10:39:39.852 MEST: TCP: tcb 7F14A4D35280 connection to x.x.x.x:49, peer MSS 1460, MSS is 536
001422: Jun 14 10:39:39.853 MEST: TPLUS(000011BB)/0/NB_WAIT: socket event 2
001423: Jun 14 10:39:39.853 MEST: TPLUS(000011BB)/0/NB_WAIT: wrote entire 44 bytes request
001424: Jun 14 10:39:39.853 MEST: TPLUS(000011BB)/0/READ: socket event 1
001425: Jun 14 10:39:39.853 MEST: TPLUS(000011BB)/0/READ: Would block while reading
001426: Jun 14 10:39:39.856 MEST: TPLUS(000011BB)/0/READ: socket event 1
001427: Jun 14 10:39:39.856 MEST: TPLUS(000011BB)/0/READ: read entire 12 header bytes (expect 16 bytes data)
001428: Jun 14 10:39:39.856 MEST: TPLUS(000011BB)/0/READ: socket event 1
001429: Jun 14 10:39:39.856 MEST: TPLUS(000011BB)/0/READ: read entire 28 bytes response
001430: Jun 14 10:39:39.856 MEST: TPLUS(000011BB)/0/7F14A4620E28: Processing the reply packet
001431: Jun 14 10:39:39.856 MEST: TPLUS: Received authen response status GET_PASSWORD (8)
001432: Jun 14 10:39:40.056 MEST: TCP0: ACK timeout timer expired
001433: Jun 14 10:39:43.061 MEST: TPLUS: Queuing AAA Authentication request 4539 for processing
001434: Jun 14 10:39:43.061 MEST: TPLUS(000011BB) login timer started 1020 sec timeout
001435: Jun 14 10:39:43.061 MEST: TPLUS: processing authentication continue request id 4539
001436: Jun 14 10:39:43.061 MEST: TPLUS: Authentication continue packet generated for 4539
001437: Jun 14 10:39:43.061 MEST: TPLUS(000011BB)/0/WRITE/7F14A4620E28: Started 4 sec timeout
001438: Jun 14 10:39:43.061 MEST: TPLUS(000011BB)/0/WRITE: wrote entire 29 bytes request
001439: Jun 14 10:39:43.069 MEST: TCP0: FIN processed
001440: Jun 14 10:39:43.069 MEST: TCP0: state was ESTAB -> CLOSEWAIT [43295 -> x.x.x.x(49)]
001441: Jun 14 10:39:43.069 MEST: TPLUS(000011BB)/0/READ: socket event 1
001442: Jun 14 10:39:43.069 MEST: TPLUS(000011BB)/0/READ: read entire 12 header bytes (expect 6 bytes data)
001443: Jun 14 10:39:43.069 MEST: TPLUS(000011BB)/0/READ: socket event 1
001444: Jun 14 10:39:43.069 MEST: TPLUS(000011BB)/0/READ: read entire 18 bytes response
001445: Jun 14 10:39:43.069 MEST: TPLUS(000011BB)/0/7F14A4620E28: Processing the reply packet
001446: Jun 14 10:39:43.069 MEST: TPLUS: Received authen response status PASS (2)
001447: Jun 14 10:39:43.070 MEST: TCP0: state was CLOSEWAIT -> LASTACK [43295 -> x.x.x.x(49)]
001448: Jun 14 10:39:43.070 MEST: TCP0: sending FIN
001449: Jun 14 10:39:43.070 MEST: TCP0: Got ACK for our FIN
001450: Jun 14 10:39:43.070 MEST: TCP0: state was LASTACK -> CLOSED [43295 -> x.x.x.x(49)]
001451: Jun 14 10:39:43.070 MEST: Released port 43295 in Transport Port Agent for TCP IP type 1 delay 240000
001452: Jun 14 10:39:43.070 MEST: TCB 0x7F14A4D35280 destroyed
001453: Jun 14 10:39:43.271 MEST: TCP2: ACK timeout timer expired
001454: Jun 14 08:39:44.070 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: x] [Source: x.x.x.x] [localport: 22] at 10:39:44 MEST Tue Jun 14 2022
001455: Jun 14 10:39:44.071 MEST: AAA/AUTHOR (0x11BB): Pick method list 'default' - FAIL
001456: Jun 14 10:39:44.071 MEST: AAA/AUTHOR/EXEC(000011BB): Authorization FAILED
001457: Jun 14 10:39:46.072 MEST: Socket I/O cleanup message sent to TACACS

When the login suceeds, it looks like this:



001789: Jun 14 10:42:59.769 MEST: AAA/BIND(000011C0): Bind i/f
001790: Jun 14 10:42:59.769 MEST: AAA/AUTHEN/LOGIN (000011C0): Pick method list 'VTY_authen'
001791: Jun 14 10:42:59.769 MEST: TPLUS: Queuing AAA Authentication request 4544 for processing
001792: Jun 14 10:42:59.769 MEST: TPLUS(000011C0) login timer started 1020 sec timeout
001793: Jun 14 10:42:59.769 MEST: TPLUS: processing authentication start request id 4544
001794: Jun 14 10:42:59.769 MEST: TPLUS: Authentication start packet created for 4544(x)
001795: Jun 14 10:42:59.769 MEST: TPLUS: Using server x.x.x.x
001796: Jun 14 10:42:59.769 MEST: TCB7F14A469DBE0 created
001797: Jun 14 10:42:59.769 MEST: TCB7F14A469DBE0 setting property TCP_NO_DELAY (0) 7F14A03605C0
001798: Jun 14 10:42:59.769 MEST: TCB7F14A469DBE0 setting property TCP_VRFTABLEID (20) 7F14A0360670
001799: Jun 14 10:42:59.769 MEST: TPLUS: Source IP selected is: x.x.x.x
001800: Jun 14 10:42:59.769 MEST: tcp_uniqueport: using ephemeral max 55000
001801: Jun 14 10:42:59.769 MEST: TCP: Random local port generated 27090, network 1
001802: Jun 14 10:42:59.769 MEST: TCB7F14A469DBE0 bound to x.x.x.x.27090
001803: Jun 14 10:42:59.769 MEST: TCB7F14A469DBE0 setting property TCP_NONBLOCKING_WRITE (10) 7F14A0360658
001804: Jun 14 10:42:59.769 MEST: TCB7F14A469DBE0 setting property TCP_NONBLOCKING_READ (14) 7F14A0360658
001805: Jun 14 10:42:59.769 MEST: Reserved port 27090 in Transport Port Agent for TCP IP type 1
001806: Jun 14 10:42:59.769 MEST: TCP: sending SYN, seq 3347302526, ack 0
001807: Jun 14 10:42:59.769 MEST: TCP0: Connection to x.x.x.x:49, advertising MSS 536
001808: Jun 14 10:42:59.769 MEST: TCP0: state was CLOSED -> SYNSENT [27090 -> x.x.x.x(49)]
001809: Jun 14 10:42:59.770 MEST: TPLUS(000011C0)/3/NB_WAIT/7F1492C7A698: Started 4 sec timeout
001810: Jun 14 10:42:59.770 MEST: TCP0: state was SYNSENT -> ESTAB [27090 -> x.x.x.x(49)]
001811: Jun 14 10:42:59.770 MEST: TCP: tcb 7F14A469DBE0 connection to x.x.x.x:49, peer MSS 1460, MSS is 536
001812: Jun 14 10:42:59.770 MEST: TPLUS(000011C0)/3/NB_WAIT: socket event 2
001813: Jun 14 10:42:59.770 MEST: TPLUS(000011C0)/3/NB_WAIT: wrote entire 44 bytes request
001814: Jun 14 10:42:59.770 MEST: TPLUS(000011C0)/3/READ: socket event 1
001815: Jun 14 10:42:59.770 MEST: TPLUS(000011C0)/3/READ: Would block while reading
001816: Jun 14 10:42:59.773 MEST: TPLUS(000011C0)/3/READ: socket event 1
001817: Jun 14 10:42:59.773 MEST: TPLUS(000011C0)/3/READ: read entire 12 header bytes (expect 16 bytes data)
001818: Jun 14 10:42:59.773 MEST: TPLUS(000011C0)/3/READ: socket event 1
001819: Jun 14 10:42:59.773 MEST: TPLUS(000011C0)/3/READ: read entire 28 bytes response
001820: Jun 14 10:42:59.773 MEST: TPLUS(000011C0)/3/7F1492C7A698: Processing the reply packet
001821: Jun 14 10:42:59.773 MEST: TPLUS: Received authen response status GET_PASSWORD (8)
001822: Jun 14 10:42:59.973 MEST: TCP0: ACK timeout timer expired
001823: Jun 14 10:43:02.153 MEST: TCP6: keepalive timeout (0/4)
001824: Jun 14 10:43:03.012 MEST: TPLUS: Queuing AAA Authentication request 4544 for processing
001825: Jun 14 10:43:03.012 MEST: TPLUS(000011C0) login timer started 1020 sec timeout
001826: Jun 14 10:43:03.012 MEST: TPLUS: processing authentication continue request id 4544
001827: Jun 14 10:43:03.012 MEST: TPLUS: Authentication continue packet generated for 4544
001828: Jun 14 10:43:03.012 MEST: TPLUS(000011C0)/3/WRITE/7F1492C7A698: Started 4 sec timeout
001829: Jun 14 10:43:03.012 MEST: TPLUS(000011C0)/3/WRITE: wrote entire 29 bytes request
001830: Jun 14 10:43:03.021 MEST: TCP0: FIN processed
001831: Jun 14 10:43:03.021 MEST: TCP0: state was ESTAB -> CLOSEWAIT [27090 -> x.x.x.x(49)]
001832: Jun 14 10:43:03.021 MEST: TPLUS(000011C0)/3/READ: socket event 1
001833: Jun 14 10:43:03.021 MEST: TPLUS(000011C0)/3/READ: read entire 12 header bytes (expect 6 bytes data)
001834: Jun 14 10:43:03.021 MEST: TPLUS(000011C0)/3/READ: socket event 1
001835: Jun 14 10:43:03.021 MEST: TPLUS(000011C0)/3/READ: read entire 18 bytes response
001836: Jun 14 10:43:03.021 MEST: TPLUS(000011C0)/3/7F1492C7A698: Processing the reply packet
001837: Jun 14 10:43:03.021 MEST: TPLUS: Received authen response status PASS (2)
001838: Jun 14 10:43:03.021 MEST: TCP0: state was CLOSEWAIT -> LASTACK [27090 -> x.x.x.x(49)]
001839: Jun 14 10:43:03.021 MEST: TCP0: sending FIN
001840: Jun 14 10:43:03.021 MEST: TCP0: Got ACK for our FIN
001841: Jun 14 10:43:03.021 MEST: TCP0: state was LASTACK -> CLOSED [27090 -> x.x.x.x(49)]
001842: Jun 14 10:43:03.022 MEST: Released port 27090 in Transport Port Agent for TCP IP type 1 delay 240000
001843: Jun 14 10:43:03.022 MEST: TCB 0x7F14A469DBE0 destroyed
001844: Jun 14 10:43:03.222 MEST: TCP5: ACK timeout timer expired
001845: Jun 14 08:43:04.022 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: x] [Source: x.x.x.x] [localport: 22] at 10:43:04 MEST Tue Jun 14 2022
001846: Jun 14 10:43:04.024 MEST: AAA/AUTHOR (0x11C0): Pick method list 'VTY_author'
001847: Jun 14 10:43:04.024 MEST: TPLUS: Queuing AAA Authorization request 4544 for processing
001848: Jun 14 10:43:04.024 MEST: TPLUS(000011C0) login timer started 1020 sec timeout
001849: Jun 14 10:43:04.024 MEST: TPLUS: processing authorization request id 4544
001850: Jun 14 10:43:04.024 MEST: TPLUS: Protocol set to None .....Skipping
001851: Jun 14 10:43:04.024 MEST: TPLUS: Sending AV service=shell
001852: Jun 14 10:43:04.024 MEST: TPLUS: Sending AV cmd*
001853: Jun 14 10:43:04.024 MEST: TPLUS: Authorization request created for 4544(x)
001854: Jun 14 10:43:04.024 MEST: TPLUS: using previously set server x.x.x.x from group dnac-network-tacacs-group
001855: Jun 14 10:43:04.024 MEST: TCB7F14A46A1C40 created
001856: Jun 14 10:43:04.024 MEST: TCB7F14A46A1C40 setting property TCP_NO_DELAY (0) 7F14A0360650
001857: Jun 14 10:43:04.024 MEST: TCB7F14A46A1C40 setting property TCP_VRFTABLEID (20) 7F14A0360700
001858: Jun 14 10:43:04.024 MEST: TPLUS: Source IP selected is: x.x.x.x
001859: Jun 14 10:43:04.024 MEST: tcp_uniqueport: using ephemeral max 55000
001860: Jun 14 10:43:04.024 MEST: TCP: Random local port generated 29380, network 1
001861: Jun 14 10:43:04.024 MEST: TCB7F14A46A1C40 bound to x.x.x.x.29380
001862: Jun 14 10:43:04.024 MEST: TCB7F14A46A1C40 setting property TCP_NONBLOCKING_WRITE (10) 7F14A03606E8
001863: Jun 14 10:43:04.024 MEST: TCB7F14A46A1C40 setting property TCP_NONBLOCKING_READ (14) 7F14A03606E8
001864: Jun 14 10:43:04.024 MEST: Reserved port 29380 in Transport Port Agent for TCP IP type 1
001865: Jun 14 10:43:04.024 MEST: TCP: sending SYN, seq 628235321, ack 0
001866: Jun 14 10:43:04.024 MEST: TCP0: Connection to x.x.x.x:49, advertising MSS 536
001867: Jun 14 10:43:04.024 MEST: TCP0: state was CLOSED -> SYNSENT [29380 -> x.x.x.x(49)]
001868: Jun 14 10:43:04.024 MEST: TPLUS(000011C0)/3/NB_WAIT/7F1492C7A698: Started 4 sec timeout
001869: Jun 14 10:43:04.025 MEST: TCP0: state was SYNSENT -> ESTAB [29380 -> x.x.x.x(49)]
001870: Jun 14 10:43:04.025 MEST: TCP: tcb 7F14A46A1C40 connection to x.x.x.x:49, peer MSS 1460, MSS is 536
001871: Jun 14 10:43:04.025 MEST: TPLUS(000011C0)/3/NB_WAIT: socket event 2
001872: Jun 14 10:43:04.025 MEST: TPLUS(000011C0)/3/NB_WAIT: wrote entire 63 bytes request
001873: Jun 14 10:43:04.025 MEST: TPLUS(000011C0)/3/READ: socket event 1
001874: Jun 14 10:43:04.025 MEST: TPLUS(000011C0)/3/READ: Would block while reading
001875: Jun 14 10:43:04.026 MEST: TPLUS(000011C0)/3/READ: socket event 1
001876: Jun 14 10:43:04.026 MEST: TPLUS(000011C0)/3/READ: read entire 12 header bytes (expect 18 bytes data)
001877: Jun 14 10:43:04.026 MEST: TPLUS(000011C0)/3/READ: socket event 1
001878: Jun 14 10:43:04.026 MEST: TPLUS(000011C0)/3/READ: read entire 30 bytes response
001879: Jun 14 10:43:04.026 MEST: TPLUS(000011C0)/3/7F1492C7A698: Processing the reply packet
001880: Jun 14 10:43:04.026 MEST: TPLUS: Processed AV priv-lvl=15
001881: Jun 14 10:43:04.026 MEST: TPLUS: received authorization response for 4544: PASS
001882: Jun 14 10:43:04.026 MEST: TCP0: state was ESTAB -> FINWAIT1 [29380 -> x.x.x.x(49)]
001883: Jun 14 10:43:04.026 MEST: TCP0: sending FIN
001884: Jun 14 10:43:04.026 MEST: AAA/AUTHOR/EXEC(000011C0): processing AV cmd=
001885: Jun 14 10:43:04.026 MEST: AAA/AUTHOR/EXEC(000011C0): processing AV priv-lvl=15
001886: Jun 14 10:43:04.026 MEST: AAA/AUTHOR/EXEC(000011C0): Authorization successful

show users

#sh user
Line User Host(s) Idle Location
1 vty 0 XEP_pnp-zero-touch 6d09h
* 6 vty 5 x idle 00:00:00 x

 Can anyone explain, why it takes the author list default or VTY_author?

 

0 Helpful
Customers Also Viewed These Support Documents