Articles in this section

See more

PnP line vty configuration

Avatar
DevNet Support
Updated
Follow

Encountering an issue where line vty configuration is not correctly being pushed to the switch. The template contains the following:

 !

line con 0

  login authentication NO-TACACS

  logging synchronous

!

line vty 0

  login authentication NO-TACACS

  logging synchronous

!

line vty 1 15

  session-timeout 150

  authorization commands 15 DMZ-TACACS-SERVERS

  authorization exec DMZ-TACACS-SERVERS

  logging synchronous

  login authentication DMZ-TACACS-SERVERS

  transport input ssh

!

 ...the generated configuration listed against the switch shows the identical configuration. However after the config is deployed, the switch running config shows:

 !

line con 0

  login authentication NO-TACACS

  logging synchronous

!

line vty 0

  login authentication NO-TACACS

  logging synchronous

!

line vty 1 4

  session-timeout 150

logging synchronous

  transport input ssh

!

line vty 5 15

  session-timeout 150

  logging synchronous

  transport input ssh

!

 ...missing crucial AAA methods! The deployment ends in an 'error' state with the following message:

 Received response from pnp agent for message correlatorId: CiscoPnP-1.0-15-324-EBF7F68-13 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed

This could be because APIC-EM can not log into the switch with the AAA TACACS credentials used as part of the build process.

  'line vty 0'  is given different configuration as it could be verified from 'sh users' that it is used by the PnP process so the TACACS AAA methods are not applied.

 Is there any log file buried within APIC-EM which would show why only some of the config is being applied.

 

This is an issue with the way the pnp agent on the device handles the "aaa authorisation" commands.

 There is a solution with IOS 16.3 code, however, there is also a workaround I published using an EEM script in a blog post.

Network Automation with Plug and Play (PnP) – Part 7

 In your case, you should add the VTY aaa commands to the EEM script too.

From release notes:

 AAA device credential support. The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release IOS 15.6(3)M1, IOS XE 16.3.2, or IOS XE 16.4 or later on the device.

 

 

Comments

0 comments

Please sign in to leave a comment.