02-19-2021 07:11 AM
Hi, I configured TACACS on my APIC controllers (Admin>AAA) and I can now login successfully using TACACS onto each of my 3 APIC controllers, problem I have now is when I ssh from any APIC to a leaf or spine switch or go directly I can no longer login even with the Switch local admin account!
Am I missing a parameter somewhere specifically in regards to Tennant or Fabric TACACS/Security configuration
I'm running 4.2(6d) on the entire fabric.
02-19-2021 08:11 AM - edited 02-19-2021 08:28 AM
Assuming your TACACS domain calls TACACS (check on APIC GUI : admin > AAA > Authentication > Login Domains )
and leaf IP is 1.2.3.4
# ssh apic#TACACS\\yourusername@1.2.3.4
For the local ID login
# ssh apic#fallback\\admin@1.2.3.4
02-19-2021 08:58 AM - edited 02-19-2021 08:58 AM
Hi no luck!
Yes Domain is called TACACS
I tried both commands which worked fine from the APIC but access denied with both passwords
So I can login to the APIC's fine with TACACS but not leafs or spines.
02-19-2021 09:36 AM - edited 02-19-2021 09:54 AM
it should work, if your leaf have access to the TACACS server. First check what APIC is using: System > system settings > APIC connectivity preference
Then verify if leafs. INB or OOB can get to TACACS.
One more, fallback admin should work regardless of TACACS.
02-22-2021 01:19 AM
Config was INB changed to OOB, still no luck.
I might open a TAC for this issue.
02-22-2021 08:12 AM
After checking our ACS Server, AAA authentication is working fine but AAA authorisation is not working.....I can only think that a specific av-pair needs to be added to ACS for the ACI leafs and spines. Just don't know what that could be.
02-22-2021 09:07 AM
12-06-2023 02:45 PM
Hi, I am facing the same issue, may i know the solution for this?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: