---

@alemabrahao wrote:

Here is all the details that you have to know.

 

 

https://documentation.meraki.com/Cloud_Monitoring_for_Catalyst/Onboarding/Cloud_Monitoring_for_Catal...

---

I think you sent me the wrong link. That is for legacy cloud monitoring; I am referring to Enable Cloud Management for Catalyst Switches with Device Configuration - Cisco Meraki Documentation

And yes, I have gone through Enable Cloud Management for Catalyst document, and it mentions that "aaa authentication login default local and aaa authorization exec default local must be configured". But doesn't specify if the onboarding account needs to be a local or TACACS account, or if the account used for onboarding needs to stay around permanently or can be changed or removed. 

Take a look at this.

https://documentation.meraki.com/MS/Cloud_Management_with_IOS_XE/Hybrid_Operating_Mode_Switches_Conf...

Hi, 

Yep, so I have seen that as well, and gone through it in detail; this is what I assume: 

1. You should be able to use a TACACS account for onboarding. 

2. If you do use a local account for onboarding, it can be changed or removed - As Meraki sets up its own local accounts for continued access, monitoring, and management. 

But I cannot find anything specific stating that, and I want to confirm before proceeding with a wider rollout. As it will determine how much preparation we need to do before rolling it out. 

Excuse my ignorance, but what difference does it make whether you use a local account or a TACACS account?

This account is only used for onboarding, so in my opinion, it makes no difference.

Hey, 

Not being ignorant at all - I am just as confused as you are, which is why I am asking here lol. It should make no difference; I agree with you. 

But during testing, the Meraki Dashboard complained that the TACACS credentials I provided didn't work. Until I provided local credentials to complete the onboarding. 

And as I am typing out this response, I think I just realised something else that may have actually broken it. So excuse me, I am going to pop away and do some more testing. 

I don't think you understood me. I wasn't calling you ignorant, I was calling myself ignorant. 

😅

But I believe the documentation implies that it must be a local user.

I'm saying this because I'm taking into account that the TACACS servers aren't being defined in the example configuration.

However, if you'd like, you can share your configuration so I can check if anything is missing in your TACACS configuration.

😄

Hey Jeroen, 

Just double checking - Is this when onboarding switches into the new Meraki Cloud Managed mode? If so, would you mind sharing your aaa configuration? Would love to see how they are setup. 

aaa new-model
aaa group server tacacs+ GROUP_TAC
server name TAC-AUTH1
server name TAC-AUTH2
aaa authentication login default local group GROUP_TAC
aaa authentication login MERAKI local
aaa authentication enable default enable group GROUP_TAC
aaa authorization config-commands
aaa authorization exec default local group GROUP_TAC if-authenticated
aaa authorization exec MERAKI local
aaa authorization commands 15 default group GROUP_TAC if-authenticated
aaa authorization commands 15 MERAKI local
aaa accounting update periodic 3
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common