Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
0
Helpful
1
Replies

ACI TACACS authentication issue for specific user.

joeharb
Level 5
Level 5

‎09-25-2023 01:18 PM

We use RSA SecureID for MFA and TACACS for the majority of our device administration including ACI.  I am trying to work with postman for some automation and was going to create a specific internal user within ISE for authentication (internal credentials, no RSA Passcode).  From ACI when I use those creds I see good authentication within ISE and it matches the desired policy but ACI times out and states that the TACACS server was unresponsive or took to much time.  I have tested these creds on other devices such as a nexus 7K and it works as expected without issue.  If I type in the wrong password on purpose, I get a DENIED back immediately, and the failed login shows up in ISE.  I have found others that will use a local account within ACI for this purpose but I have struggled to get the to work as well.

Any assistance would be appreciated,

Thanks,

Joe

 

Labels:
0 Helpful
1 Reply 1

jiarchen
Cisco Employee
Cisco Employee

‎10-23-2023 12:49 AM

HI, Joe

 

 

Not for sure whether you're using local or TACAS group as default. If a Login Domain is not selected, the built in DefaultAuth login domain will be used. The DefaultAuth login domain piggybacks off of the Default Authentication configuration. We can change the default Login Domain behavior by using GUI: Admin -> AAA -> AAA Authentication.


This will enable default TACACS authentication for the APIC GUI and SSH sessions to APICs and fabric switches. However, in order to enable TACACS authentication for console sessions to fabric switches you will also need to enable the TACACS+ Realm for Console Authentication.

Note: Make sure to leave/set the Fallback Check property to false. Setting the Fallback Check property to true may cause local logins to fail.

If you set your default Login Domain to TACACS, you did not create an additional Login Domain for local authentication, and you forgot your TACACS credentials, in ACI there is a Login Domain which is known as fallback.

 

 

Attached a few configuration guides and hope it could help.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-32/220433-configure-apic-for-device-administration.html

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_ACI-TACACS-config.html

 

Suggest to open a TAC case if the problem persists.

 

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

 

You can also learn more about Cisco ACI through our live Ask the Experts (ATXs) session. Check out the ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License