Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3803
Views
1
Helpful
7
Replies

vManage fails to attach device to a template - Access Denied

Go to solution
Fabot
Level 1
Level 1

‎06-28-2023 02:40 AM

Using vManage 20.9, it is falling to attach devices to a template.

There are some advices on internet to remove ciscotacro and ciscotacrw users from vManage CLI. It didn't work.

Error message from vManage GUI:

application error tag : access-denied

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Fabot
Level 1
Level 1
In response to Flavio Miranda

‎06-29-2023 12:07 PM - edited ‎06-29-2023 12:08 PM

Dear @Flavio Miranda 

Problem solved.

I was using a CLI Device Template with only two lines (system and site-id 1), and the error message was "access-denied".

It was not so intuitive about the root cause. LoL

Therefore, the solution was found in a "trial and error" fashion. 

I just tried a new CLI Device Template using the device whole configuration, instead of just two lines. As a result, it was then accepted and worked acordingly. Now the devices are in vManage Mode.

Thank you so much for your support and attention!

View solution in original post

Preview file
176 KB
0 Helpful
7 Replies 7

Go to solution
Flavio Miranda
VIP
VIP

‎06-28-2023 02:47 AM

Hi

 There´s a bug with similar behavior

https://bst.cisco.com/bugsearch/bug/CSCvu69248

 

0 Helpful

Go to solution
Fabot
Level 1
Level 1
In response to Flavio Miranda

‎06-28-2023 09:45 AM - edited ‎06-28-2023 09:46 AM

Hello dear Flavio... Thanks for your reply!

But I could not open the mentioned link. Is there any workaround for the reffered bug?

It is important to recall here that I have faced that same issue on vManage versions: 18.4.5, 20.9.1, and 20.9.3.1. This last one is recommended by Cisco as a stable version.

Follow in attachment some relevant print screen images, showing the full error messages as well as the "Out of Sync" status.

Preview file
211 KB
Preview file
189 KB
0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Fabot

‎06-28-2023 09:53 AM

Workaround: If cli template or test scripts are used and you get application error access denied during push, please ensure that the following config is removed from the aaa config: user ciscotacro description CiscoTACReadOnly group operator ! user ciscotacrw description CiscoTACReadWrite group netadmin !

0 Helpful

Go to solution
Fabot
Level 1
Level 1
In response to Flavio Miranda

‎06-28-2023 10:02 AM - last edited on ‎07-06-2023 10:20 AM by Community Manager

Dear @Flavio Miranda ,

Follows below the running-config from vManager, with pertinent AAA configuration. Which lines should be removed?

vManager# show run
system
host-name vManager
system-ip 100.100.100.1
site-id 1
admin-tech-on-failure
no vrrp-advt-with-phymac
sp-organization-name home
organization-name home
vbond 10.1.1.2
aaa
auth-order local radius tacacs
usergroup basic
task system read
task interface read
!
usergroup global
!
usergroup netadmin
!
usergroup network_operations
task policy read write
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
usergroup resource_group_admin
task system read
task interface read
!
usergroup resource_group_basic
task system read
task interface read
!
usergroup resource_group_operator
task system read
task interface read
!
usergroup security_operations
task security read write
!
usergroup tenantadmin
!
user admin
password xxx
!
ciscotacro-user true
ciscotacrw-user true
!

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Fabot

‎06-28-2023 10:24 AM

@Fabot 

 You should have this line on your script, but is seems you dont. Probably the workaround will not apply to you.

 

"user ciscotacro

  description CiscoTACReadOnly

   group operator !

     user ciscotacrw

      description CiscoTACReadWrite

   group netadmin !"

Go to solution
Fabot
Level 1
Level 1
In response to Flavio Miranda

‎06-28-2023 10:31 AM

Thanks, dear @Flavio Miranda !

I am still looking for a valid workaround for this issue. If you find anything, please share here.

0 Helpful

Go to solution
Fabot
Level 1
Level 1
In response to Flavio Miranda

‎06-29-2023 12:07 PM - edited ‎06-29-2023 12:08 PM

Dear @Flavio Miranda 

Problem solved.

I was using a CLI Device Template with only two lines (system and site-id 1), and the error message was "access-denied".

It was not so intuitive about the root cause. LoL

Therefore, the solution was found in a "trial and error" fashion. 

I just tried a new CLI Device Template using the device whole configuration, instead of just two lines. As a result, it was then accepted and worked acordingly. Now the devices are in vManage Mode.

Thank you so much for your support and attention!

Preview file
176 KB
0 Helpful
Customers Also Viewed These Support Documents