ACI TACACS

stephendrkw · ‎02-19-2021

Hi, I configured TACACS on my APIC controllers (Admin>AAA) and I can now login successfully using TACACS onto each of my 3 APIC controllers, problem I have now is when I ssh from any APIC to a leaf or spine switch or go directly I can no longer login even with the Switch local admin account!

Am I missing a parameter somewhere specifically in regards to Tennant or Fabric TACACS/Security configuration

I'm running 4.2(6d) on the entire fabric.

6askorobogatov · ‎02-19-2021

Assuming your TACACS domain calls TACACS (check on APIC GUI : admin > AAA > Authentication > Login Domains )

and leaf IP is 1.2.3.4

# ssh apic#TACACS\\yourusername@1.2.3.4

For the local ID login

# ssh apic#fallback\\admin@1.2.3.4

stephendrkw · ‎02-19-2021

Hi no luck!

Yes Domain is called TACACS

I tried both commands which worked fine from the APIC but access denied with both passwords

So I can login to the APIC's fine with TACACS but not leafs or spines.

6askorobogatov · ‎02-19-2021

it should work, if your leaf have access to the TACACS server. First check what APIC is using: System > system settings > APIC connectivity preference

Then verify if leafs. INB or OOB can get to TACACS.

One more, fallback admin should work regardless of TACACS.

stephendrkw · ‎02-22-2021

Config was INB changed to OOB, still no luck.

I might open a TAC for this issue.

stephendrkw · ‎02-22-2021

After checking our ACS Server, AAA authentication is working fine but AAA authorisation is not working.....I can only think that a specific av-pair needs to be added to ACS for the ACI leafs and spines. Just don't know what that could be.

Robert Burns · ‎02-22-2021

Did you take a look through: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/basic-configuration/Cisco-APIC-Basic-Configuration-Guide-42x/Cisco-APIC-Basic-Configuration-Guide-42x_chapter_011.html

Robert

noc@westernasset.com · ‎12-06-2023

Hi, I am facing the same issue, may i know the solution for this?