cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10070
Views
5
Helpful
11
Replies
Highlighted

Cisco ACI : Configuring TACACS Authentication for specific leaf

HI,

I have a Cisco ACI environment running Version: 1.2(1i) and I configured TACACS on the APICs together with all the necessary attributes on the Cisco ACS server.

I can login to the APICs using the TACACS account and i have the right authorization.

However, if I SSH to the leaves, I can only use the local admin account.No TACACS seem to be possible.I don't see any TACACS connection to the ACS servers being originated from the leaf.

Beside this, I didn't find any way of configuring TACACS specifically for the leaves.

As a side note, I am only using OOB management for the leaves.

If I issue a show tacacs-server on the leaf, I see that the source-interface is set as any available.

Leaf# show tacacs-server
timeout value:5
deadtime value:0
source interface:any available
total number of servers:2
following TACACS+ servers are configured:
x.x.x.x:
available on port:49
y.y.y.y:
available on port:49
Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi All!

Hi All!

Good idea upgrading the firmware. With older versions there was a defect open for this (CSCuu25181) -The default out-of-band management EPG configuration does not allow packets to return from the AAA providers. 

Workaround:
The mgmt tenant needs at a minimum a contract that permits the AAA provider protocols that are required (out-of-band contract in the case of the out-of-band EPG) applied for both provided and consumed as well as a subnet that permits the AAA provider.

View solution in original post

11 REPLIES 11
Highlighted
Contributor

I have the same question,

I have the same question, configured TACACS+ for the APIC's, but only local login seems to work. I hope someone has some ideas. I am running 1.2(1m) 

Highlighted

In the meantime I found out

In the meantime I found out that the specific TACACS authentication issue was caused by the fact that on two specific leaves I was using an older firmware compared to the running APIC version.

Highlighted
Cisco Employee

Hi All!

Hi All!

Good idea upgrading the firmware. With older versions there was a defect open for this (CSCuu25181) -The default out-of-band management EPG configuration does not allow packets to return from the AAA providers. 

Workaround:
The mgmt tenant needs at a minimum a contract that permits the AAA provider protocols that are required (out-of-band contract in the case of the out-of-band EPG) applied for both provided and consumed as well as a subnet that permits the AAA provider.

View solution in original post

Highlighted
Contributor

I did some testing with

I did some testing with RADIUS. If you change the default authentication realm to RADIUS, you need also RADIUS to login to the switches. 

Highlighted
Beginner

Hi Michel,

Hi Michel,

If we do tacacs or radius integration & if we wanted to login to any of the node directly, then is there any specific format of username which specify authentication domain from CLI?

Highlighted
Contributor

you specify the domain on the

you specify the domain on the APIC. No need to use the domain from the CLI. Make sure, the default authentication mode is RADIUS/TACACS. 

Also make sure you configure each device (APIC,SPINE and LEAF) as RADIUS/TACACS client. Check the logging on the server for errors

regards

@michelvankessel

Highlighted
Cisco Employee

Hello

Hello

Thanks for using SupportForums!

you should be able to use your TACACS server to authenticate into your leafs. you need a special login format though, and the user account needs to have admin rights

ssh apic#domain\\username@leaf-1-ip

just make sure you have node management addresses configured for all your APICs and Leafs in the GUI

let me know how it goes!

~] @ DPITA-M-D0U1 (Daniel) $ssh apic#TACACS\\user1@10.12
Password:
Last login: Tue Jun 28 15:08:30 2016 from 10.
Cisco Nexus Operating System (NX-OS) Software
Copyright (c) 2002-2015, Cisco Systems, Inc. All rights reserved.    
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
Leaf103# 
Leaf103#
Highlighted
Beginner

Thanks.

Thanks.

This is what I was looking. I read this some where but now I was not able find the document for this special username format.

Highlighted
Beginner

Hi,

Hi,

I have default auth set to RADIUS so I can login with RADIUS credentials to APIC or Leaf/Spine via CLI  When I need to login with local credential I just use this format:

apic#local\\admin

Thanks.

Highlighted
Beginner

Hi,

Hi,

 

we using the same infrastructure with the new APIC apic-2.3(1f) / Leaf 12.3(1f) firmare.

Unfortunately we facing the same issue as Andrei we can login to apic via tacacs but cannot login to leafs / authentication failed .

 

ssh apic#OUR_TAC_POLICY\\username@leaf-1-ip

 

we have configured in Admin -> AAA atthtication and tacacs- Providers groups.

the output after check config on leaf:

 

leaf01# show aaa authentication

         default: OUR_TAC_POLICY

         console: local

 

Looks ok,

now my questions is what is the best case to troubleshoot this issue ?

Highlighted
Beginner

Re: Unable to login to APIC using TACACS and Admin

 I am facing strange issue. Initially we were facing issue to login one of APIC (APIC-3) with TACACS authentication and rest of APIC in cluster was working fine for authentication.We did upgrade and after that same issue started for APIC-1.

Currently I am able to login to APIC-2 using TACACS authentication but getting error "AAA servers are unreachable" for other APICs.

 

Our Security team remove and added APIC config in TACACS but still issue is not resolved.

Please suggest what should we check on APIC side and how?

All TACACS configuration is standard and on other site same config is working.

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey