Guest

Preview Tool

Cisco Bug: CSCuw52315 - Incorrect vty lines authorization config on CPE

Last Modified

Oct 24, 2015

Products (1)

  • Cisco Application Deployment Engine

Known Affected Releases

3.32B(2)

Description (partial)

Symptom:
pnp-server/NCS pushes the following day0 PnP cli-config for aaa authentication and authorization to the CPE:
aaa authentication login CONSOLE local
aaa authentication login VTY local
aaa authorization exec CONSOLE local
aaa authorization exec VTY none
line con 0
 exec-timeout 30 0
 authorization exec CONSOLE
 login authentication CONSOLE
line vty 0 15
 exec-timeout 30 0
 authorization exec VTY
 login authentication VTY

After pnp-server completed the day0 config push, which the IOS PnP agent applied to the CPE running-config correctly, NCS ssh into the CPE to push day1 and day2 configuration. The CPE is ready for use after this, and NCS does not make anymore configuration changes to the CPE (either via ssh or PnP).

With only PnP 4-way handshakes running on the CPE, after some time, ranging from a few minutes to a few hours, the running-config of the CPE vty lines changed to the following:
line vty 0 4
 authorization exec CONSOLE
 login authentication CONSOLE
line vty 5 15
 authorization exec CONSOLE
 login authentication CONSOLE

The incorrect vty lines config does not cause operational issue on the CPE, but when the CPE is off boarded or when service chain is de-provisioned, the 'authorization exec CONSOLE' config causes authorization failure on the CPE when the pnp-server sent the config-upgrade PnP request to the CPE to copy day -1 config to flash and reboot the CPE.

The vty lines config change on the CPE is caused by CSCuw56833.

NCS needs to implement workaround for CSCuw56833; instead of using two authentication and authorization lists, the two authentication lists and the two authorization lists should be merged:
aaa authentication login VTYCON local
aaa authorization exec VTYCON none 
line con 0
 exec-timeout 30 0
 authorization exec VTYCON
 login authentication VTYCON
line vty 0 4
 exec-timeout 30 0
 authorization exec VTYCON
 login authentication VTYCON

Conditions:
VTY lines configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.