Meraki

Community

Transitioning to Cloud Native IOS XE Cloud Management with On Device Configuration

bradly
Conversationalist
Thursday
Thursday

Transitioning to Cloud Native IOS XE Cloud Management with On Device Configuration

Hi everyone, 

 

We are still in the testing phase of upgrading to 17.15.04 and transitioning to Cloud Management with On Device configuration. 

 

We did our first test yesterday, and I just have some questions. 

 

1. Onboarding the Catalyst Switch in Meraki Cloud Management - Privilege 15 Account Required

Can this account be a TACACS account? Or does it have to be a local user account? 

 

2. Once fully onboarded, can the local account used for onboarding into Meraki Cloud Management be deleted, or have its username or password changed? Does the Meraki cloud continue to use the onboarding account for further monitoring and management of the switch? 

 

Thank you, 

Brad 

Labels:
0 Kudos
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Here is all the details that you have to know.

 

 

https://documentation.meraki.com/Cloud_Monitoring_for_Catalyst/Onboarding/Cloud_Monitoring_for_Catal...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
bradly
Conversationalist
Thursday
Thursday

@alemabrahao wrote:

Here is all the details that you have to know.

 

 

https://documentation.meraki.com/Cloud_Monitoring_for_Catalyst/Onboarding/Cloud_Monitoring_for_Catal...

I think you sent me the wrong link. That is for legacy cloud monitoring; I am referring to Enable Cloud Management for Catalyst Switches with Device Configuration - Cisco Meraki Documentation

 

And yes, I have gone through Enable Cloud Management for Catalyst document, and it mentions that "aaa authentication login default local and aaa authorization exec default local must be configured". But doesn't specify if the onboarding account needs to be a local or TACACS account, or if the account used for onboarding needs to stay around permanently or can be changed or removed. 

 

 

 

0 Kudos
In response to bradly
alemabrahao
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Take a look at this.

 

https://documentation.meraki.com/MS/Cloud_Management_with_IOS_XE/Hybrid_Operating_Mode_Switches_Conf...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
bradly
Conversationalist
Thursday
Thursday

Hi, 

 

Yep, so I have seen that as well, and gone through it in detail; this is what I assume: 

 

1. You should be able to use a TACACS account for onboarding. 

 

2. If you do use a local account for onboarding, it can be changed or removed - As Meraki sets up its own local accounts for continued access, monitoring, and management. 

 

But I cannot find anything specific stating that, and I want to confirm before proceeding with a wider rollout. As it will determine how much preparation we need to do before rolling it out. 

0 Kudos
In response to bradly
alemabrahao
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Excuse my ignorance, but what difference does it make whether you use a local account or a TACACS account?

 

This account is only used for onboarding, so in my opinion, it makes no difference.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
bradly
Conversationalist
Thursday
Thursday

Hey, 

 

Not being ignorant at all - I am just as confused as you are, which is why I am asking here lol. It should make no difference; I agree with you. 

 

But during testing, the Meraki Dashboard complained that the TACACS credentials I provided didn't work. Until I provided local credentials to complete the onboarding. 

 

And as I am typing out this response, I think I just realised something else that may have actually broken it. So excuse me, I am going to pop away and do some more testing. 

0 Kudos
In response to bradly
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

I don't think you understood me. I wasn't calling you ignorant, I was calling myself ignorant. 

😅

But I believe the documentation implies that it must be a local user.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to bradly
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

I'm saying this because I'm taking into account that the TACACS servers aren't being defined in the example configuration.

However, if you'd like, you can share your configuration so I can check if anything is missing in your TACACS configuration.

😄

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
Friday
Friday

I think you have to look how your method lists are setup.
If you primarily look at tacacs server for your aaa authentication login... and aaa authorization exec... then you won't be able to use the Meraki device config method.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Sunday
Sunday

>Can this account be a TACACS account?

 

No.  It must be a local account.

 

> can the local account used for onboarding into Meraki Cloud Management be deleted

 

I believe a new local account is created that uses an SSH key.  Not sure.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.