Meraki

Community

Catalyst 9300 Meraki onboarding - Authorization issue

sellington
New here
‎Aug 25 2023 11:02 AM
‎Aug 25 2023 11:02 AM

Catalyst 9300 Meraki onboarding - Authorization issue

I am looking to onboard a Catalyst 9300 into our Meraki dashboard to check out the monitoring mode. Running through the onboarding application presents no errors and onboards "successfully", however in the dashboard we are only seeing basic reachability and no telemetry or even port status. 

Watching the terminal of the 9300 we are seeing an authorization error in regards to the Meraki-user and the use of Netconf (%DMI-5-AUTHORIZATION_FAILED: Switch 1 R0/0: dmiauthd: User 'meraki-user' from [Meraki IP] was not authorized for netconf over ssh.).

Can anyone provide insight into whether or not this is responsible for my lack of data and what steps I may take to correct this or point me in the right direction?

Any help is greatly appreciated.

Thanks,

 

4 Replies 4
Brash
Kind of a big deal
Kind of a big deal
‎Aug 25 2023 1:45 PM
‎Aug 25 2023 1:45 PM

That would be your issue. The Meraki dashboard logs into the device via Netcong (over SSH) to pull data.

 

What does your running config look like?

Did you have existing config on the switch before integrating it with the dashboard?

What privilege is the Meraki user account configured for on the switch?

Do you have ACL's set up for SSH?

DarrenOC
Kind of a big deal
Kind of a big deal
‎Aug 26 2023 1:59 AM
‎Aug 26 2023 1:59 AM

Hi @sellington 

 

Are you following the guidance on how to onboard from here:

 

https://documentation.meraki.com/Cloud_Monitoring_for_Catalyst/Onboarding/Cloud_Monitoring_for_Catal...

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
HeinDeLange
Conversationalist
‎Mar 11 2024 12:40 PM
‎Mar 11 2024 12:40 PM

You've probably solved this by now, but for anyone else that also didn't read the fine print like me and wasted some time.

 

Radius authentication from a switch is not a currently supported feature.

0 Kudos
ch303
New here
Thursday
Thursday

I recently had issues getting my Cat9300 onboarded to Meraki. I was getting the error "Cloud is not able to login to device". It ended up being an issue with my AAA config.

 

I had the following AAA config so that when I SSH to my VTY lines it would use my TACACS servers first, and then fall back to local if they were unavailable:

aaa authentication login default group TACACS_GROUP local

aaa authorization exec default local group TACACS_GROUP local

 

But Meraki doesn't seem to like that. I tried a ton of things and came up with Meraki requiring those "default" auth-n & auth-z policies to be only local

aaa authentication login default local

aaa authorization exec default local

 

So how I solved this was to create a separate policy just for SSH (tied to my vty lines) so that I can still enforce using my TACACS servers when connecting remotely into the switch, but be able to have those "default" policies as local

aaa authentication login default local

aaa authorization exec default local

aaa authentication login SSH group TACACS_GROUP local

aaa authorization exec SSH group TACACS_GROUP local

 

line vty 0 31

authorization exec SSH

login authentication SSH

 

 

Once I made those changes I was able to successfully onboard my switch to Meraki Dashboard for Monitoring.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.