Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1681
Views
5
Helpful
3
Replies

Plug and Play Weirdness, PnP with AAA Configs in Scripts (Cisco SR 688994803)

Go to solution
apogeenet
Level 1
Level 1

‎04-29-2020 04:15 PM

Anyone noticing DNA-C odd handling on AAA commands within the PNP config push (DNA-C 1.3.3.x)? Examples:

 

Provision --> Devices --> Plug and Plug Devices -->  Device Name --> Configuration --> Template (preview)

 

!
aaa new-model
!
aaa authentication login ISE-AUTHENTICATE group ISE-TACACS local
aaa authentication login LOCAL-AUTHENTICATE local group ISE-TACACS
aaa authorization console
aaa authorization commands 1 ISE-AUTHORIZE group ISE-TACACS local
aaa authorization commands 15 ISE-AUTHORIZE group ISE-TACACS local
aaa authorization commands 15 LOCAL-AUTHORIZE local group ISE-TACACS
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
line con 0
exec-timeout 60 0
privilege level 15
authorization exec LOCAL-AUTHORIZE
logging synchronous
login authentication LOCAL-AUTHENTICATE
!
line vty 0 15
exec-timeout 60 0
privilege level 15
authorization commands 15 ISE-AUTHORIZE
logging synchronous
login authentication ISE-AUTHENTICATE
transport input ssh
!

What makes it into the configs:

 

aaa new-model 

aaa authentication login ISE-AUTHENTICATE group ISE-TACACS local
aaa authentication login LOCAL-AUTHENTICATE local group ISE-TACACS
aaa authorization console
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

 

line vty 0 4
access-class REMOTE_ALLOW in
exec-timeout 60 0
privilege level 15
authorization exec LOCAL-AUTHORIZE
logging synchronous
login authentication LOCAL-AUTHENTICATE
line vty 5 15
exec-timeout 60 0
privilege level 15
authorization exec LOCAL-AUTHORIZE
logging synchronous
login authentication LOCAL-AUTHENTICATE

 

Console's AUTH commands make it into VTY and authorization commands dropped global AAA configurations

 

2 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
apogeenet
Level 1
Level 1
In response to apogeenet

‎04-30-2020 06:40 PM

old but good script from @aradford https://community.cisco.com/t5/networking-blogs/network-automation-with-plug-and-play-pnp-part-7/ba-p/3658518

 

Modified his script a bit, but led the right direction (APIC-EM issues often surface on DNA-C):

 

event manager session cli username sdadmin443322 privilege 15
event manager applet PNP_AAA_FIX
event timer countdown time 180
action 1.0 cli command "enable"
action 1.3 cli command "config t"
action 1.6 cli command "aaa authorization commands 1 ISE-AUTHORIZE group ISE-TACACS local"
action 1.9 cli command "aaa authorization commands 15 ISE-AUTHORIZE group ISE-TACACS local"
action 2.2 cli command "aaa authorization commands 15 LOCAL-AUTHORIZE local group ISE-TACACS"
action 2.5 cli command "line vty 0 15"
action 2.8 cli command "authorization commands 15 ISE-AUTHORIZE"
action 3.1 cli command "no authorization exec LOCAL-AUTHORIZE"
action 3.4 cli command "login authentication ISE-AUTHENTICATE"
action 3.7 cli command "no event manager applet PNP_AAA_FIX"
action 4.0 cli command "end"
action 4.3 cli command "wr mem"

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
J. Aske
Level 1
Level 1

‎04-30-2020 06:40 AM

Looks like you are hitting this DNA bug - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt63467

0 Helpful

Go to solution
apogeenet
Level 1
Level 1
In response to J. Aske

‎04-30-2020 08:29 AM

Work around in there does not work.... sounds similar for sure 

0 Helpful

Go to solution
apogeenet
Level 1
Level 1
In response to apogeenet

‎04-30-2020 06:40 PM

old but good script from @aradford https://community.cisco.com/t5/networking-blogs/network-automation-with-plug-and-play-pnp-part-7/ba-p/3658518

 

Modified his script a bit, but led the right direction (APIC-EM issues often surface on DNA-C):

 

event manager session cli username sdadmin443322 privilege 15
event manager applet PNP_AAA_FIX
event timer countdown time 180
action 1.0 cli command "enable"
action 1.3 cli command "config t"
action 1.6 cli command "aaa authorization commands 1 ISE-AUTHORIZE group ISE-TACACS local"
action 1.9 cli command "aaa authorization commands 15 ISE-AUTHORIZE group ISE-TACACS local"
action 2.2 cli command "aaa authorization commands 15 LOCAL-AUTHORIZE local group ISE-TACACS"
action 2.5 cli command "line vty 0 15"
action 2.8 cli command "authorization commands 15 ISE-AUTHORIZE"
action 3.1 cli command "no authorization exec LOCAL-AUTHORIZE"
action 3.4 cli command "login authentication ISE-AUTHENTICATE"
action 3.7 cli command "no event manager applet PNP_AAA_FIX"
action 4.0 cli command "end"
action 4.3 cli command "wr mem"

 

 

 

0 Helpful
Customers Also Viewed These Support Documents