Solved: Cisco ACI : Configuring TACACS Authentication for specific leaf

andrei.strateanu · ‎02-23-2016

HI,

I have a Cisco ACI environment running Version: 1.2(1i) and I configured TACACS on the APICs together with all the necessary attributes on the Cisco ACS server.

I can login to the APICs using the TACACS account and i have the right authorization.

However, if I SSH to the leaves, I can only use the local admin account.No TACACS seem to be possible.I don't see any TACACS connection to the ACS servers being originated from the leaf.

Beside this, I didn't find any way of configuring TACACS specifically for the leaves.

As a side note, I am only using OOB management for the leaves.

If I issue a show tacacs-server on the leaf, I see that the source-interface is set as any available.

Leaf# show tacacs-server

timeout value:5

deadtime value:0

source interface:any available

total number of servers:2

following TACACS+ servers are configured:

x.x.x.x:

available on port:49

y.y.y.y:

available on port:49

Any ideas?

Cristian Munoz · ‎03-08-2016

Hi All!

Good idea upgrading the firmware. With older versions there was a defect open for this (CSCuu25181) -The default out-of-band management EPG configuration does not allow packets to return from the AAA providers.

Workaround:
The mgmt tenant needs at a minimum a contract that permits the AAA provider protocols that are required (out-of-band contract in the case of the out-of-band EPG) applied for both provided and consumed as well as a subnet that permits the AAA provider.

View solution in original post

michelvankessel · ‎02-25-2016

I have the same question, configured TACACS+ for the APIC's, but only local login seems to work. I hope someone has some ideas. I am running 1.2(1m)

andrei.strateanu · ‎03-06-2016

In the meantime I found out that the specific TACACS authentication issue was caused by the fact that on two specific leaves I was using an older firmware compared to the running APIC version.

Cristian Munoz · ‎03-08-2016

Hi All!

Good idea upgrading the firmware. With older versions there was a defect open for this (CSCuu25181) -The default out-of-band management EPG configuration does not allow packets to return from the AAA providers.

Workaround:
The mgmt tenant needs at a minimum a contract that permits the AAA provider protocols that are required (out-of-band contract in the case of the out-of-band EPG) applied for both provided and consumed as well as a subnet that permits the AAA provider.

michelvankessel · ‎03-06-2016

I did some testing with RADIUS. If you change the default authentication realm to RADIUS, you need also RADIUS to login to the switches.

sachin.gawli · ‎07-03-2016

Hi Michel,

If we do tacacs or radius integration & if we wanted to login to any of the node directly, then is there any specific format of username which specify authentication domain from CLI?

michelvankessel · ‎07-03-2016

you specify the domain on the APIC. No need to use the domain from the CLI. Make sure, the default authentication mode is RADIUS/TACACS.

Also make sure you configure each device (APIC,SPINE and LEAF) as RADIUS/TACACS client. Check the logging on the server for errors

regards

@michelvankessel

dpita · ‎07-03-2016

Hello

Thanks for using SupportForums!

you should be able to use your TACACS server to authenticate into your leafs. you need a special login format though, and the user account needs to have admin rights

ssh apic#domain\\username@leaf-1-ip

just make sure you have node management addresses configured for all your APICs and Leafs in the GUI

let me know how it goes!

~] @ DPITA-M-D0U1 (Daniel) $ssh apic#TACACS\\user1@10.12

Password:

Last login: Tue Jun 28 15:08:30 2016 from 10.

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

Leaf103#

sachin.gawli · ‎07-03-2016

Thanks.

This is what I was looking. I read this some where but now I was not able find the document for this special username format.

Tomas.Ronec1 · ‎03-06-2017

Hi,

I have default auth set to RADIUS so I can login with RADIUS credentials to APIC or Leaf/Spine via CLI When I need to login with local credential I just use this format:

apic#local\\admin

Thanks.

ovidiustatar · ‎07-28-2017

Hi,

we using the same infrastructure with the new APIC apic-2.3(1f) / Leaf 12.3(1f) firmare.

Unfortunately we facing the same issue as Andrei we can login to apic via tacacs but cannot login to leafs / authentication failed .

ssh apic#OUR_TAC_POLICY\\username@leaf-1-ip

we have configured in Admin -> AAA atthtication and tacacs- Providers groups.

the output after check config on leaf:

leaf01# show aaa authentication

default: OUR_TAC_POLICY

console: local

Looks ok,

now my questions is what is the best case to troubleshoot this issue ?

umesh_1211 · ‎01-03-2018

I am facing strange issue. Initially we were facing issue to login one of APIC (APIC-3) with TACACS authentication and rest of APIC in cluster was working fine for authentication.We did upgrade and after that same issue started for APIC-1.

Currently I am able to login to APIC-2 using TACACS authentication but getting error "AAA servers are unreachable" for other APICs.

Our Security team remove and added APIC config in TACACS but still issue is not resolved.

Please suggest what should we check on APIC side and how?

All TACACS configuration is standard and on other site same config is working.