04-29-2020 04:15 PM
Anyone noticing DNA-C odd handling on AAA commands within the PNP config push (DNA-C 1.3.3.x)? Examples:
Provision --> Devices --> Plug and Plug Devices --> Device Name --> Configuration --> Template (preview)
!
aaa new-model
!
aaa authentication login ISE-AUTHENTICATE group ISE-TACACS local
aaa authentication login LOCAL-AUTHENTICATE local group ISE-TACACS
aaa authorization console
aaa authorization commands 1 ISE-AUTHORIZE group ISE-TACACS local
aaa authorization commands 15 ISE-AUTHORIZE group ISE-TACACS local
aaa authorization commands 15 LOCAL-AUTHORIZE local group ISE-TACACS
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
line con 0
exec-timeout 60 0
privilege level 15
authorization exec LOCAL-AUTHORIZE
logging synchronous
login authentication LOCAL-AUTHENTICATE
!
line vty 0 15
exec-timeout 60 0
privilege level 15
authorization commands 15 ISE-AUTHORIZE
logging synchronous
login authentication ISE-AUTHENTICATE
transport input ssh
!
What makes it into the configs:
aaa new-model
aaa authentication login ISE-AUTHENTICATE group ISE-TACACS local
aaa authentication login LOCAL-AUTHENTICATE local group ISE-TACACS
aaa authorization console
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
line vty 0 4
access-class REMOTE_ALLOW in
exec-timeout 60 0
privilege level 15
authorization exec LOCAL-AUTHORIZE
logging synchronous
login authentication LOCAL-AUTHENTICATE
line vty 5 15
exec-timeout 60 0
privilege level 15
authorization exec LOCAL-AUTHORIZE
logging synchronous
login authentication LOCAL-AUTHENTICATE
Console's AUTH commands make it into VTY and authorization commands dropped global AAA configurations
Solved! Go to Solution.
04-30-2020 06:40 PM
old but good script from @aradford https://community.cisco.com/t5/networking-blogs/network-automation-with-plug-and-play-pnp-part-7/ba-p/3658518
Modified his script a bit, but led the right direction (APIC-EM issues often surface on DNA-C):
event manager session cli username sdadmin443322 privilege 15
event manager applet PNP_AAA_FIX
event timer countdown time 180
action 1.0 cli command "enable"
action 1.3 cli command "config t"
action 1.6 cli command "aaa authorization commands 1 ISE-AUTHORIZE group ISE-TACACS local"
action 1.9 cli command "aaa authorization commands 15 ISE-AUTHORIZE group ISE-TACACS local"
action 2.2 cli command "aaa authorization commands 15 LOCAL-AUTHORIZE local group ISE-TACACS"
action 2.5 cli command "line vty 0 15"
action 2.8 cli command "authorization commands 15 ISE-AUTHORIZE"
action 3.1 cli command "no authorization exec LOCAL-AUTHORIZE"
action 3.4 cli command "login authentication ISE-AUTHENTICATE"
action 3.7 cli command "no event manager applet PNP_AAA_FIX"
action 4.0 cli command "end"
action 4.3 cli command "wr mem"
04-30-2020 06:40 AM
Looks like you are hitting this DNA bug - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt63467
04-30-2020 08:29 AM
Work around in there does not work.... sounds similar for sure
04-30-2020 06:40 PM
old but good script from @aradford https://community.cisco.com/t5/networking-blogs/network-automation-with-plug-and-play-pnp-part-7/ba-p/3658518
Modified his script a bit, but led the right direction (APIC-EM issues often surface on DNA-C):
event manager session cli username sdadmin443322 privilege 15
event manager applet PNP_AAA_FIX
event timer countdown time 180
action 1.0 cli command "enable"
action 1.3 cli command "config t"
action 1.6 cli command "aaa authorization commands 1 ISE-AUTHORIZE group ISE-TACACS local"
action 1.9 cli command "aaa authorization commands 15 ISE-AUTHORIZE group ISE-TACACS local"
action 2.2 cli command "aaa authorization commands 15 LOCAL-AUTHORIZE local group ISE-TACACS"
action 2.5 cli command "line vty 0 15"
action 2.8 cli command "authorization commands 15 ISE-AUTHORIZE"
action 3.1 cli command "no authorization exec LOCAL-AUTHORIZE"
action 3.4 cli command "login authentication ISE-AUTHENTICATE"
action 3.7 cli command "no event manager applet PNP_AAA_FIX"
action 4.0 cli command "end"
action 4.3 cli command "wr mem"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide