I'm trying to manage several 3750 stacks using CNA and it's able to authenticate with all but two of the stacks (these are NOT cluster members). During the discovery process, CNA keeps prompting for a username/password. We use TACACS+ so I give it the same username/password that I would when I login using SSH. Here's where things come off the rails for me. If I go to my ACS server and pull up troubleshooting and the load up CNA I do not see any activity. If I turn on debugs on the switch here's the output I get while trying to connect with CNA:
TACACS+ events debugging is on
TACACS+ authentication debugging is on
TACACS+ authorization debugging is on
TACACS+ packets debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
HTTP Server Authentication debugging is on
Mar 4 16:26:19: HTTP: Authentication failed for level 15
The funny thing is that if I do these same debugs on a switch that works I get this:
Mar 4 16:32:25: HTTP: Priv level granted 15
Mar 4 16:32:25: AAA/BIND(000005A8): Bind i/f
(this is repeated several dozen times)
My understanding of ip http is that if no authentication is enabled it uses the authenication method used by vty (the switch is using http server version 1). The switch is configured to use aaa/tacacs for vty. If that is the case then why don't I see activity in ACS and why don't a see a bunch of output from all of the other debugs? How is CNA authenticating with the switch?
Does anybody else think Cisco's aaa new-model configuration is as clear as mud? For what it's worth, I figured out the problem (just in case anybody else has the same issue). What killed me was this line:
aaa authentication enable default group tacacs+ enable
There's nothing wrong with this command. I think all it's saying is exec privilege can be provided by tacacs+ OR the locally configured enable secret/password. The problem for me was that the user account I was using to login just happened to have a different password (in Active Directory) than it did on the local switch for TWO of the ten switch stacks I was trying to group together. The other switch stacks had the same enable secret as the user account's password. Now what I don't understand is why the switch decided to look at the enable secret first before trying tacacs. That doesn't seem logical to me. How does the switch make this decision? Is that documented anywhere?
I, srikanth from CNA dev engineer team. Sorry for the late Response.
Here are the answer for your queries,
1) How is CNA authenticating with the switch?
--CNA authenticating the switch using device credentials with help of HTTP/HTTPs.
Please make sure the protocols are enabled on the device.
CNA allow to authenticate the device as per the configuration set to the device like local username/password or enable secret password. We can do configuring these using CNA from username and passwords option also.
You explained about some senarios that how swith behaving,
We need to contact IOS team regard this. please let me know that you got clarified on this? or need to contact IOS team?
Please let me know your comments on this.