Want to replace 400 switches and 100 routers and believe the PnP will save us hours of work and bring the level of automation and consistency for our company way up. Getting an error on a test PNP WS-C3850-48P job.
Received response from pnp agent for message correlatorId: CiscoPnP-1.0-2589-324-3D89CC5C-2589 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed
Have not provided APIC-EM with any other information about this switch other than the details outlined in the project. Can login to the switch with AAA commands as if it was part of the network. Does APIC-EM try to run a discovery of the host after a successful deploy? If so I have updated the ACL's we use to control SNMP/SSH traffic to and from network devices.
This is a known issue with PnP.
The issue seems to be 'aaa command authorisation' command. Long story as to why this is the case, but this will be causing the issue. If you remove this from the pnp-config it should be fine.
The config will be successfully deployed to the device, it is just that the controller does not think it has been. The team is working on fixing this in future releases.
You only need to remove the command authorization command. You can still configure authentication and that should work.
Try out the striked through commands from template.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ none
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting update periodic 1
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
no aaa accounting system guarantee-first
For APIC-EM 1.4.x release as there is an agent side fix required you need to have an updated version of IOS on your device too. Refer the post for details about the work around. Network Automation with Plug and Play (PnP) – Part 7
Or you can use the EEM script . Added the following at the end of the config to be pushed to the provisioning equipment. Replaced "sdn2" with an existing TACACS account with 15 level privilege.
event manager session cli username sdn2 privilege 15
event manager applet POST_PNP
event timer countdown time 30
action 1.0 cli command "enable"
action 1.1 cli command "debug event manager action cli"
action 1.2 cli command "debug aaa authorization"
action 1.8 cli command "config t"
action 2.1 cli command "aaa authorization commands 1 default group ISE-T if-authenticated"
action 2.2 cli command "aaa authorization commands 15 default group ISE-T if-authenticated"
action 2.3 cli command "no event manager applet POST_PNP"
action 2.8 cli command "end"
action 2.9 cli command "wr mem"
action 3.0 cli command "end"
( remove the debug commands for production.)
action 1.1 cli command "debug event manager action cli"
action 1.2 cli command "debug aaa authorization"
Comments
0 comments
Please sign in to leave a comment.