This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ICX7150 "Zero-Touch" Config via TFTP (DHCP Option 66) cannot log into switch after auto-provisioning

Go to solution
ruckgscz
New Contributor II

‎07-06-2023 06:01 PM - edited ‎07-06-2023 11:26 PM

Hello,

I am building out a "zero-touch" template for ICX. Switches will follow DHCP Option 66 to a TFTP server, grab a config according to mac address, and get setup. HOWEVER, in testing, I cannot log into auto-provisioned switches, even when supplying a username and pass in the config.

Example, ICX7150-C12-SwitchA.B.C.cfg (on TFTP server):

hostname ICX-XYZ
username super privilege 0 create-password MYFAVORITEPASS
username super2 privilege 0 create-password MYFAVORITEPASS

7150 is factory reset.
It grabs above config.
I can see from LLDP that switch took config and updated its hostname.
I can SSH to device, HOWEVER I cannot login as super or super2 (even with default pass sp-admin).

The same occurs if I omit the username lines. That is, auto-provision config on TFTP is only:

hostname ICX-XYZ

This also prevents login using the default sp-admin password.

What is the correct procedure to set users and passwords via TFTP auto-provisioning (Option 66/150)?
I may be missing a piece of documentation, and if so, I would appreciate a pointer to get myself up to speed.

Test device:
ICX7150-C12
FastIron 8.0.95kT211

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
ruckgscz
New Contributor II
In response to Chandini

‎07-10-2023 08:52 AM

Hi Chandini thanks for the response,

You are correct about bad default config. I made the assumption that TFTP auto-provision behaves the same as the copy command  (copy tftp running-config ...). It is not the same. TFTP auto-provision applies different AAA defaults.

With auto-provision it is necessary to apply an AAA rule like
    aaa authentication login default local
    (or a radius/tacacs AAA rule)

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Chandini
RUCKUS Team Member

‎07-07-2023 03:08 AM

Hi Ruckgscz 

Thanks for reaching us 

  • When you are testing the above scenario. If you access the switch using console and stay logged in even when you trigger the change through TFTP and when you do a "show run" are you able to view the configuration ? 

When you test the above scenario and give user "super" and password "sp-admin"  and if its not taking the default password I suppose the changes you are making is getting applied but only way to check that would be to see and stay connected to the switch using console. We would also be able to check if those commands are being pushed or if there is a issue with only certain commands being pushed when TFTP is used. 

  • Could you please let me know if you are from Lennar Homes ? 

Thanks 

0 Kudos

Go to solution
ruckgscz
New Contributor II
In response to Chandini

‎07-10-2023 08:52 AM

Hi Chandini thanks for the response,

You are correct about bad default config. I made the assumption that TFTP auto-provision behaves the same as the copy command  (copy tftp running-config ...). It is not the same. TFTP auto-provision applies different AAA defaults.

With auto-provision it is necessary to apply an AAA rule like
    aaa authentication login default local
    (or a radius/tacacs AAA rule)

0 Kudos
Copyright © 2024 Khoros, LLC