topic Re: TACACS Role for ND and NDFC not working with one av-pair in Nexus Dashboard

TACACS Role for ND and NDFC not working with one av-pair

BigDalton — Mon, 16 Oct 2023 03:20:44 GMT

According to configuration guide, the new version of NDFC and ND have RBAC configured all in ND admin console, and ND "admin" is treated as NDFC "network-admin" too. But in my ND 3.0.1 and NDFC 12.1.3 setup, one role does not give access to both ND and NDFC.

If I return TACACS cisco-av-pair with shell:role="admin", I can access ND but not NDFC. If I change it to shell:role="network-admin", then I can access NDFC not ND admin console.

I tried to manipulate attribute value but with no luck getting it working for both ND and NDFC access. Is the guide wrong, or I missed something?

Re: TACACS Role for ND and NDFC not working with one av-pair

rohandec1980 — Tue, 31 Oct 2023 23:08:45 GMT

Hello Mate

I am building a NDFC multisite fabric and need to enable AAA. Seeing you have done that, would like to ask some queries around that, if it's okay with you:

1. What documentation did you refer to enable AAA on the NDFC?

2. Did you enable AAA on the switches first and then on the NDFC? if so what user credentials NDFC uses when it pushes out configuration to the switches?

Regards

Rohan

Re: TACACS Role for ND and NDFC not working with one av-pair

John Cui — Mon, 06 Nov 2023 03:09:02 GMT

Hi,

Could you please have a try with TACACS cisco-av-pair of "shell:domains=all/network-admin/"?

This will grant ND admin permission, and "all" means entire NDFC security domain.

If you need specify particular security domain, you need change it accordingly.

Please refer following guide for your deployment.

https://www.cisco.com/c/dam/en/us/td/docs/dcn/ndfc/1213/articles/ndfc-security-domains/configuring-security-domains.pdf

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco NDFC (previously known as DCNM) through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

Thanks

Re: TACACS Role for ND and NDFC not working with one av-pair

BigDalton — Mon, 06 Nov 2023 03:23:54 GMT

Hi John,

I just tested the av-pair you suggested in our TACACS server:

This gives no access to either ND nor NDFC:

Re: TACACS Role for ND and NDFC not working with one av-pair

BigDalton — Mon, 06 Nov 2023 03:28:09 GMT

Hi Rohan,

My question is about AAA for the ND/NDFC appliances, not AAA for the managed switches.

I have not checked switch AAA in NDFC yet, but I think that would be pushed by NDFC to the switch using templates still. A local credential is still needed for inital switch discovery and config push.

Re: TACACS Role for ND and NDFC not working with one av-pair

John Cui — Mon, 06 Nov 2023 06:42:59 GMT

Hi,

Could you try to test some with following format?

If still not work, would be good to query with TAC engineer.

Re: TACACS Role for ND and NDFC not working with one av-pair

BigDalton — Mon, 06 Nov 2023 23:22:34 GMT

Hi John,

When using shell:domains in the config, I can't even select NDFC from the ND dropdown list. But when using shell:roles at least I can choose either admin for ND or network-admin for NDFC. I'm not sure why shell:domains does not work despite the document says to use it. It looks like I will have to raise a TAC case to get the answer. Thanks for taking the time to look into this issue for me.