Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
2
Replies

NCSO20070: One or more AAA CLI(s) are already present on the device

DJW487
Level 1
Level 1

‎07-17-2024 04:25 PM

This might be more of a complaint than a question...

But I have a switch that I PnP onboarded. I assigned to a site and provisioned the switch. Then I realised I assigned it to the wrong site.

I deleted the switch from inventory, and readded it to the correct site and tried to provision again.


However provisioning fails since it doesn't like the fact there were already radius groups and accounting settings on the switch. The exact ones it previously provisioned, and were the same as what it was about to provision anyway.

So I have to go in and manually remove all the 'conflicting' aaa config, resync then reprovision just for it to put the exact same settings back on the switch.

This is on 2.3.5.5. Hopefully it's fixed in later versions...

Labels:
0 Helpful
2 Replies 2

Torbjørn
Spotlight
Spotlight

‎07-18-2024 12:40 AM

While I do agree that this is annoying - I think this might be a good precaution for the catalyst center to take.

A couple of years ago I experienced a situation where a non-Cisco automation tool that broke authentication on a few hundred IOS-XE devices. This happened as the tool wasn't able to "understand" and account for certain lines of existing configuration. 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

maflesch
Cisco Employee
Cisco Employee

‎07-19-2024 12:45 PM

As Torbjorn mentioned, this is intended behavior to protect the system and the network devices from getting locked out. Catalyst Center will not provision a device that has brownfield AAA configuration with the exception of the Learn Device Config feature. The point of this is because Catalyst Center cannot determine which configuration is safe to remove/ignore so that it can push the required configuration to bring the device into a managed state for network settings. 

You may ask why the provision doesn't import the existing configuration, and again, that is to protect the system and the network device from bricking or locking out the users. So instead, when brownfield AAA commands that were not pushed by Catalyst Center to an existing managed device are detected during a provision operation and AAA is defined in the network settings for that site the device is being provisioned to, Catalyst Center will fail the operation and give you that warning.

And yes, Catalyst Center originally provisioned those configs, but when you removed the device from inventory, those records were deleted from Catalyst Center's database thus making them brownfield configurations once you re-added the device.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card