03-15-2022 08:32 AM
DNAC fails on provisioning brownfield devices that have TACACS configured. What is the intended/recommended workflow for using DNAC to manage brownfield switches? Should TACACS/AAA commands be removed in order to provision? This becomes problematic when there are thousands of devices being managed.
Thanks!
03-15-2022 10:49 AM
What user you are using on the CLI credentials? This user must have total privileges.
03-15-2022 01:22 PM
If you remove the AAA settings from Design->Network Settings, then you will be able to complete the provision. You then have 2 choices for the long term:
1) Manage your existing AAA settings via day-N templates.
2) Use the provision workflow to convert your brownfield AAA configs to the configs that DNA wants to see. That should enable you to re-enable AAA management via Design->Network settings going forward.
But you want to avoid having AAA configs in Design Settings AND in day-N templates at the same time.
03-17-2022 06:37 AM
03-17-2022 09:46 AM
You can provision a spare device to see the aaa configs that DNA deploys.
03-18-2022 03:16 PM
03-18-2022 05:40 PM
Your template can first unconfigure aaa and the reconfigure it with the same commands DNA expects (in the same template). Or just unconfigure aaa with a template and reapply AAA in Design Settings, but that takes 2 provisions instead of just 1.
04-05-2024 11:32 AM
Sorry to awaken the necro-thread here. But I am running into the same issue and have a question.
If I make the template that removes our current AAA and TACACS config, than reapply the config using the commands that DNA would see if it deployed it, than moved it to a different network or something to reprovision it with a new template and with the AAA and TACACS config instead in the settings. Would this work?
Issue I have is I built ISE to default deny and all of our equipment also will block sign in with local creds if TACACS servers are reachable. And to top it off, all my VLANs are assigned via 802.1x responses and switch is has all access ports assigned to a guest VLAN by default, and if ISE is unreachable falls into a VLAN similar to guest where they lose all internal access. So having a hard time trying to figure out what configs I need to remove so I can get CCC to push the configs, not get locked out of switch, and not kill access to the machines in the switch.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: