Re: Need Clarification on ACI Local Authentication Options

willytech007 · ‎08-11-2025

Hi Cisco Community,

I’m configuring local authentication in Cisco ACI but need help understanding the exact purpose of each option available in the settings (e.g., "Local", "TACACS+", "RADIUS", "LDAP", etc.). I’ve searched online but couldn’t find official documentation that clearly explains:

What each authentication method specifically controls in ACI.
Best practices for when to use one over another.
Any dependencies or prerequisites for these options.

Thanks in advance! I’ll summarize the answers for others once resolved.

#ACI #Authentication #LocalAuth #HelpNeeded

Wassim Aouadi · ‎08-12-2025

Hello @willytech007 ,

Local authentication in ACI is where the user accounts are stored on the APIC database.

The other options you mentioned, LDAP, RADIUS, etc. are not local authentication options.

There are no dependencies between them. You can configure any one of them or all of them.

I haven't encountered a best practice of which to choose over which so far. Some combine local authentication with LDAP. Some might combine local authentication with Cisco ISE as a RADIUS server. But a healthy practice is not to disable local authentication at all. Remember that at APIC initial installation, you configure a local account called 'admin' which you use to login to APIC.

Forum Tips: 1. Paste images inline - don't attach. 2. If you find my post helpful, please give it a thumbs up or mark it as a correct solution; You never know in the future who you might help doing so..

willytech007 · ‎09-15-2025

Hello sir

Right, I read best practie is never disable fallback authentication.