05-11-2017 06:43 AM - edited 03-01-2019 04:38 AM
Hello again,
I am encountering an issue where line vty configuration is not correctly being pushed to the switch. My template contains the following:
!
line con 0
login authentication NO-TACACS
logging synchronous
!
line vty 0
login authentication NO-TACACS
logging synchronous
!
line vty 1 15
session-timeout 150
authorization commands 15 DMZ-TACACS-SERVERS
authorization exec DMZ-TACACS-SERVERS
logging synchronous
login authentication DMZ-TACACS-SERVERS
transport input ssh
!
...the generated configuration listed against the switch shows the identical configuration. However after the config is deployed, the switch running config shows:
!
line con 0
login authentication NO-TACACS
logging synchronous
!
line vty 0
login authentication NO-TACACS
logging synchronous
!
line vty 1 4
session-timeout 150
logging synchronous
transport input ssh
!
line vty 5 15
session-timeout 150
logging synchronous
transport input ssh
!
...missing crucial AAA methods! The deployment ends in an 'error' state with the following message:
Received response from pnp agent for message correlatorId: CiscoPnP-1.0-15-324-EBF7F68-13 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed
I assume this is because APIC-EM can not log into the switch with the AAA TACACS credentials used as part of the build process?
FYI 'line vty 0' is given different configuration as I can see via 'sh users' that it is used by the PnP process so thought I should not apply the TACACS AAA methods to it.
Is there any log file buried within APIC-EM which would show me why only some of the config is being applied?
cheers,
Seb.
05-11-2017 07:47 AM
Hi Seb,
this is an issue with the way the pnp agent on the device handles the "aaa authorisation" commands.
There is a solution with IOS 16.3 code, however, there is also a workaround I published using an EEM script in a blog post.
Network Automation with Plug and Play (PnP) – Part 7
In your case, you should add the VTY aaa commands to the EEM script too.
Adam
05-11-2017 02:26 PM
Hi Adam,
You're certainly the guy with all the answers. This deployment is for a 3560CX so will give the EEM script a try. Do you know if there will be a fix for switches that can't run code higher that 15.x ?
Thanks again,
Seb.
05-12-2017 06:13 AM
Some answers... :-)
From release notes:
AAA device credential support. The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release IOS 15.6(3)M1, IOS XE 16.3.2, or IOS XE 16.4 or later on the device.
Let me know how the EEM script goes.
Adam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide