Transitioning to Cloud Native IOS XE Cloud Management with On Device Configuration

bradly
Conversationalist

Transitioning to Cloud Native IOS XE Cloud Management with On Device Configuration

Hi everyone, 

 

We are still in the testing phase of upgrading to 17.15.04 and transitioning to Cloud Management with On Device configuration. 

 

We did our first test yesterday, and I just have some questions. 

 

1. Onboarding the Catalyst Switch in Meraki Cloud Management - Privilege 15 Account Required

Can this account be a TACACS account? Or does it have to be a local user account? 

 

2. Once fully onboarded, can the local account used for onboarding into Meraki Cloud Management be deleted, or have its username or password changed? Does the Meraki cloud continue to use the onboarding account for further monitoring and management of the switch? 

 

Thank you, 

Brad 

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

Here is all the details that you have to know.

 

 

https://documentation.meraki.com/Cloud_Monitoring_for_Catalyst/Onboarding/Cloud_Monitoring_for_Catal...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
bradly
Conversationalist


@alemabrahao wrote:

Here is all the details that you have to know.

 

 

https://documentation.meraki.com/Cloud_Monitoring_for_Catalyst/Onboarding/Cloud_Monitoring_for_Catal...


I think you sent me the wrong link. That is for legacy cloud monitoring; I am referring to Enable Cloud Management for Catalyst Switches with Device Configuration - Cisco Meraki Documentation

 

And yes, I have gone through Enable Cloud Management for Catalyst document, and it mentions that "aaa authentication login default local and aaa authorization exec default local must be configured". But doesn't specify if the onboarding account needs to be a local or TACACS account, or if the account used for onboarding needs to stay around permanently or can be changed or removed. 

 

 

 

alemabrahao
Kind of a big deal
Kind of a big deal

Take a look at this.

 

https://documentation.meraki.com/MS/Cloud_Management_with_IOS_XE/Hybrid_Operating_Mode_Switches_Conf...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
bradly
Conversationalist

Hi, 

 

Yep, so I have seen that as well, and gone through it in detail; this is what I assume: 

 

1. You should be able to use a TACACS account for onboarding. 

 

2. If you do use a local account for onboarding, it can be changed or removed - As Meraki sets up its own local accounts for continued access, monitoring, and management. 

 

But I cannot find anything specific stating that, and I want to confirm before proceeding with a wider rollout. As it will determine how much preparation we need to do before rolling it out. 

alemabrahao
Kind of a big deal
Kind of a big deal

Excuse my ignorance, but what difference does it make whether you use a local account or a TACACS account?

 

This account is only used for onboarding, so in my opinion, it makes no difference.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
bradly
Conversationalist

Hey, 

 

Not being ignorant at all - I am just as confused as you are, which is why I am asking here lol. It should make no difference; I agree with you. 

 

But during testing, the Meraki Dashboard complained that the TACACS credentials I provided didn't work. Until I provided local credentials to complete the onboarding. 

 

And as I am typing out this response, I think I just realised something else that may have actually broken it. So excuse me, I am going to pop away and do some more testing. 

alemabrahao
Kind of a big deal
Kind of a big deal

I don't think you understood me. I wasn't calling you ignorant, I was calling myself ignorant. 

😅

But I believe the documentation implies that it must be a local user.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

I'm saying this because I'm taking into account that the TACACS servers aren't being defined in the example configuration.

However, if you'd like, you can share your configuration so I can check if anything is missing in your TACACS configuration.

😄

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GIdenJoe
Kind of a big deal
Kind of a big deal

I think you have to look how your method lists are setup.
If you primarily look at tacacs server for your aaa authentication login... and aaa authorization exec... then you won't be able to use the Meraki device config method.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Can this account be a TACACS account?

 

No.  It must be a local account.

 

> can the local account used for onboarding into Meraki Cloud Management be deleted

 

I believe a new local account is created that uses an SSH key.  Not sure.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels