Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
2
Replies

On Prem SSM does not register devices

Go to solution
akrapf_007
Level 1
Level 1

‎02-21-2024 01:15 PM

I have been struggling with getting my switches to properly register with my on prem SSM.  I have followed every guide I can find, as well as looking at solutions on this board, all with no results.  I have been able to use the SSM with my DNAC and ISE.

My test switch is a C9200CX (v17.13.1).  I have tried CSLU, SmartTransport, and SmartCallHome and they all fail.  The closest I got to making it work is using CSLU, however I get an error indicating it doesn't have the correct credentials (?)

I can't believe this is all that hard, so what am I missing?  I know everyone will ask what my config is, so let me just say that I have tried the configs marked as SOLUTION from this board and others that don't work.

The last one I used is:

crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check none
ip http client source-interface (either interface name or vrf)
license smart transport cslu
license smart url cslu (CSLU url from on-prem)
exit
license smart trust idtoken(token) local
license smart sync all

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
akrapf_007
Level 1
Level 1
In response to bgillies95

‎03-08-2024 07:01 AM

I did get this functioning (finally).  TAC didn't get me there after a few weeks of back and forth, but I discovered the issue which was seriously basic.  There was one line of config missing in my switches. What is needed is:

  • aaa new-model
  • aaa authorization exec default local
  • netconf ssh
  • netconf-yang
  • license smart url <cslu URL from on prem SSM>

After this, you have to add the device policy in the SSM.  It should make the connection as long as you have the profile in your device set for the destination address of the cslu url.  

What was odd was that in some switches the aaa authorization exec default local was there by default, in others it was not. Since I hadn't used it before, I didn't know to look for it.  

View solution in original post

0 Helpful
2 Replies 2

Go to solution
bgillies95
Level 1
Level 1

‎03-06-2024 09:51 PM

Hi,

Did you ever get this working? We have a lot of devices for our customer which work with the On-Prem, however I cannot seem to get the Nexus devices working. So frustrating! I have a TAC case open, but it's the typical scenario going around in circles. CSLU seems to get us the closest, where the device will show up on the product instance page, however it doesn't seem to use the trust token and take the appropriate licences. It can't be a firewall issue since the switch and the on-prem exist within the same subnet. Additionally, other devices also register without issue.

 

0 Helpful

Go to solution
akrapf_007
Level 1
Level 1
In response to bgillies95

‎03-08-2024 07:01 AM

I did get this functioning (finally).  TAC didn't get me there after a few weeks of back and forth, but I discovered the issue which was seriously basic.  There was one line of config missing in my switches. What is needed is:

  • aaa new-model
  • aaa authorization exec default local
  • netconf ssh
  • netconf-yang
  • license smart url <cslu URL from on prem SSM>

After this, you have to add the device policy in the SSM.  It should make the connection as long as you have the profile in your device set for the destination address of the cslu url.  

What was odd was that in some switches the aaa authorization exec default local was there by default, in others it was not. Since I hadn't used it before, I didn't know to look for it.  

0 Helpful
Customers Also Viewed These Support Documents