Adding a network device always requires a radius shared secret event if this is not used.

[thomaschristory]

Hello,

I am trying to migrate managing our network devices (via tacacs) via terraform.
The configuration won't work unless there is a radius shared secret configured.
(it's also necessary to carefully add the default network device groups, otherwise there will always be a change from the terraform POV).

Here is an example of the issue:

ise:
  network_resources:
    network_devices:
      - name: AAA_test_switch
        description: managed_by_terraform
        ips:
          - ip: 8.8.8.8
        network_device_groups:
          - 'All Locations#BXS'
          # default values to avoid constant fake changes from terraform POV.
          - 'DNAC#DNAC Devices'
          - 'Guest Type'
          - 'Is IPSEC Device'
          - 'Site Type'
          - 'All Device Types'
        profile_name: Cisco
        authentication_network_protocol: TACACS_PLUS
        radius: # useless but mandatory
          shared_secret: Cisco123 # useless but mandatory
        tacacs:
          connect_mode_options: ON_LEGACY
          shared_secret: Cisco123

I am not sure if this is a nac issue or an ISE api issue though. I remember adding devices via the api and python and not running into that.

[thomaschristory]

Any chance someone might be passing by on the Cisco side ?

[danischm]

Not sure I get the question. Are you saying you need to add the RADIUS shared secret to a device (even if not needed for your specific configuration) as it otherwise fails to create the device? If so, can you share the error message you get if the shared secret is removed?

[thomaschristory]

That is exactly it.
Let me run the thing tomorrow and I will paste the error message.

[danischm]

The RADIUS shared secret is neither required in our data model nor in the TF provider so this limitation is likely coming from ISE/API itself, but should be able to confirm once we have the error message.

[thomaschristory]

I did the test.

Nac config:

ise:
  network_resources:
    network_devices:
      - name: AAA_test_switch
        description: managed_by_terraform
        ips:
          - ip: 8.8.8.8
        network_device_groups:
          - 'All Locations#BXS'
          # default values to avoid constant fake changes from terraform POV.
          - 'DNAC#DNAC Devices'
          - 'Guest Type'
          - 'Is IPSEC Device'
          - 'Site Type'
          - 'All Device Types'
        profile_name: Cisco
        authentication_network_protocol: TACACS_PLUS
        # radius: # useless but mandatory
        #   shared_secret: Cisco123 # useless but mandatory
        tacacs:
          connect_mode_options: ON_LEGACY
          shared_secret: Cisco123

the terraform apply:

terraform apply
module.ise.terraform_data.validation: Refreshing state... [id=f17c26d3-0f8e-2659-3e85-205fff4133c1]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.ise.ise_network_device.network_device["AAA_test_switch"] will be created
  + resource "ise_network_device" "network_device" {
      + authentication_network_protocol = "TACACS_PLUS"
      + coa_port                        = 1700
      + description                     = "managed_by_terraform"
      + id                              = (known after apply)
      + ips                             = [
          + {
              + ipaddress = "8.8.8.8"
              + mask      = "32"
            },
        ]
      + name                            = "AAA_test_switch"
      + network_device_groups           = [
          + "DNAC#DNAC Devices",
          + "Device Type#All Device Types",
          + "Guest Type#Guest Type",
          + "IPSEC#Is IPSEC Device",
          + "Location#All Locations#BXS",
          + "Site Type#Site Type",
        ]
      + profile_name                    = "Cisco"
      + tacacs_connect_mode_options     = "ON_LEGACY"
      + tacacs_shared_secret            = "Cisco123"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.ise.ise_network_device.network_device["AAA_test_switch"]: Creating...
module.ise.ise_network_device.network_device["AAA_test_switch"]: Still creating... [10s elapsed]
module.ise.ise_network_device.network_device["AAA_test_switch"]: Still creating... [20s elapsed]
╷
│ Error: Client Error
│
│   with module.ise.ise_network_device.network_device["AAA_test_switch"],
│   on ..\..\ise.nac\ise_network_resources.tf line 147, in resource "ise_network_device" "network_device":
│  147: resource "ise_network_device" "network_device" {
│
│ Failed to configure object (POST), got error: HTTP Request failed: StatusCode 400, Message: Validation Error - Mandatory fields missing: [authenticationSettings: radiusSharedSecret  is required along with
│ networkProtocol], {
│   "ERSResponse" : {
│     "operation" : "POST-create-networkdevice",
│     "messages" : [ {
│       "title" : "Validation Error - Mandatory fields missing: [authenticationSettings: radiusSharedSecret  is required along with networkProtocol]",
│       "type" : "ERROR",
│       "code" : "Application resource validation exception"
│     } ],
│     "link" : {
│       "rel" : "related",
│       "href" : "https://cisco-ise-1.test.com/ers/config/networkdevice",
│       "type" : "application/xml"
│     }
│   }
│ }

[danischm]

This is coming directly from ISE, not much we can do about it. Not sure which version you are running and if it's fixed in a later version.

[thomaschristory]

Hello,

We're running 3.3 and 3.2, and the issue shows up in both, via the API directly or via terraform.

However, dropping the following makes it work with the module:
authentication_network_protocol: TACACS_PLUS

I can't access the bug toolkit but I guess that's probably already raised against ISE.

[thomaschristory]

As an FYI, I opened 700080624 to track this on the ISE side.

[thomaschristory]

Update, defect CSCws35013 is now open. There seems to be some misalignment between docs and actual way of working, which I believe makes the model's doc inaccurate.