Cisco Bug: CSCuw52315 - Incorrect vty lines authorization config on CPE
Oct 24, 2015
- Cisco Application Deployment Engine
Known Affected Releases
Symptom: pnp-server/NCS pushes the following day0 PnP cli-config for aaa authentication and authorization to the CPE: aaa authentication login CONSOLE local aaa authentication login VTY local aaa authorization exec CONSOLE local aaa authorization exec VTY none line con 0 exec-timeout 30 0 authorization exec CONSOLE login authentication CONSOLE line vty 0 15 exec-timeout 30 0 authorization exec VTY login authentication VTY After pnp-server completed the day0 config push, which the IOS PnP agent applied to the CPE running-config correctly, NCS ssh into the CPE to push day1 and day2 configuration. The CPE is ready for use after this, and NCS does not make anymore configuration changes to the CPE (either via ssh or PnP). With only PnP 4-way handshakes running on the CPE, after some time, ranging from a few minutes to a few hours, the running-config of the CPE vty lines changed to the following: line vty 0 4 authorization exec CONSOLE login authentication CONSOLE line vty 5 15 authorization exec CONSOLE login authentication CONSOLE The incorrect vty lines config does not cause operational issue on the CPE, but when the CPE is off boarded or when service chain is de-provisioned, the 'authorization exec CONSOLE' config causes authorization failure on the CPE when the pnp-server sent the config-upgrade PnP request to the CPE to copy day -1 config to flash and reboot the CPE. The vty lines config change on the CPE is caused by CSCuw56833. NCS needs to implement workaround for CSCuw56833; instead of using two authentication and authorization lists, the two authentication lists and the two authorization lists should be merged: aaa authentication login VTYCON local aaa authorization exec VTYCON none line con 0 exec-timeout 30 0 authorization exec VTYCON login authentication VTYCON line vty 0 4 exec-timeout 30 0 authorization exec VTYCON login authentication VTYCON Conditions: VTY lines configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases