Skip to content

Fix AAA dot1x YANG choice violations causing configuration drift #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix AAA dot1x YANG choice violations causing configuration drift #57

wants to merge 2 commits into from
+17 −16

Conversation

@aitestino
Copy link
Contributor

@aitestino aitestino commented Oct 6, 2025
edited
Loading

Summary

Fixes critical YANG choice constraint violation in AAA dot1x/enable authentication
configuration that caused state/reality drift and device configuration failures.

Problems Fixed

Problem 1: YANG Choice Constraint Violation

When configuring dot1x authentication with custom RADIUS/TACACS+ groups:

Module Input:

module "iosxe" {
  source = "./terraform-iosxe-nac-iosxe"

  # ... device config ...

  dot1xs = [
    {
      name    = "wired_auth"
      methods = ["local", "sw_radius_group"]
    }
  ]
}

Expected Device CLI:

  aaa authentication dot1x wired_auth local group sw_radius_group

Actual Device CLI (before fix):

  aaa authentication dot1x wired_auth cache false cache false cache false cache false

Terraform showed configuration applied successfully in state, but device had incorrect
authentication methods configured.

Problem 2: Array Index Logic Error

Module was incorrectly checking methods[3] when evaluating methods[1], causing
out-of-bounds errors and incorrect group name retrieval for authentication method lists.

Root Causes

  1. YANG Choice Constraint Violation

Module was violating YANG choice constraint by setting multiple mutually-exclusive options
simultaneously.

Provider Resource Arguments (before fix):

  resource "iosxe_aaa_authentication" "aaa_authentication" {
    dot1x = [
      {
        name      = "wired_auth"
        a1_local  = true
        a1_cache  = "false"              # Setting unused choice option
        a2_group  = "sw_radius_group"
        a2_cache  = "false"              # Setting unused choice option
      }
    ]
  }

From Cisco-IOS-XE-aaa.yang:

  container a2-config {
    choice dot1x-auth {      // Only ONE can be set
      leaf group { type union { type string; } }
      leaf local { type empty; }
      leaf cache { type union { type string; } }
      leaf radius { type empty; }
    }
  }

Issue: Module set unused choice options to false → Terraform coerced to string "false" →
Provider serialized ALL values → RESTCONF applied last value (cache false) and ignored the
intended value (group).

  1. Incorrect Array Indexing

BEFORE (iosxe_aaa.tf):

  a2_group = try(!contains(["local", "cache", "radius"], try(e.methods[1], ...)), false) 
             ? try(e.methods[3], ...) : null  # Checking [3] when [1] fails

AFTER (iosxe_aaa.tf):

  a2_group = !contains(["local", "radius"], try(e.methods[1].method, ...))
             ? try(e.methods[1].method, ...) : null  # Checking correct index

Verification

Device CLI (after fix):

  aaa authentication dot1x wired_auth local group sw_radius_group

@aitestino
fix(aaa): set unused YANG choice options to null in dot1x config
d60ebcf 
Change dot1x authentication to set unused YANG choice options to null
instead of false. YANG choice containers allow only one active option
(group OR local OR cache OR radius). Setting multiple options causes
device to apply last value and ignore others.

Before:
  a2_local = try(...) == "local" ? true : false
  a2_cache = try(...) == "cache" ? true : false

After:
  a2_local = try(...) == "local" ? true : null
  a2_cache = try(...) == "cache" ? "cache" : null

When module sets a2_group = "sw_radius_group" and a2_cache = false,
Terraform coerces false to string "false". Provider serializes both
values. Device applies cache: false and ignores group setting.

With null values, provider IsNull() check skips serialization.
Only selected choice option is sent to device.

Resolves state/reality drift where Terraform state showed correct
values but device configuration was incomplete.

Modified: iosxe_aaa.tf (lines 174-192)
@aitestino
chore: dict array
c4a2694
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aitestino