cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8658
Views
0
Helpful
7
Replies

ACI Spine and Leaf TACACS Authentication to ISE

navydivervet
Level 1
Level 1

   Spine/Leaf Switches (Nx9k), giving me "Access denied Using keyboard-interactive authentication." message. When I check logs in ISE, it says that the authentication and authorization passed. In ISE, I have a single ACI Policy. That policy has both an "admin" and a "read only" profile.

    The accounts under the admin profile log in fine, but not the Read-Only accounts. Also, the same Identity Group is used under other authorization policies and works.

I'm using shell:domains = all//read-all as the profile attribute

 

Thoughts???

1 Accepted Solution

Accepted Solutions

Thanks, kind of this works. Just to specify in more details even though it might appear as RO access to Spine/Leaf switches then even with RW rights nothing can be configured on them as they are fully controlled by APIC.

 

But we finalized RW/RO access permissions to APIC and Leaf/Spine switches, so fine with me :-)

 

/Martin

View solution in original post

7 Replies 7

navydivervet
Level 1
Level 1

What's the correct shell or av pair syntax, for a remote user with read-only access?

Hi,

 

Just wondering did you get this resolved? As I'm having exactly the same issue. Wen I put all//admin in my AV pair i'm able to login however getting the following error when I try running 'show' command on the leaf.  Looks like a bug or undocumented behavior. I'm on version 3.1(1i) now.

 

 <?xml version="1.0" encoding="UTF-8"?><imdata totalCount="1"><error code="403" text="Need a valid webtoken cookie (named APIC-Cookie) or a signed request with signature in the cookie APIC-Request-Signature for all REST API requests"/></imdata>

 

Thanks.

 

BR,

Miro 

YanL
Level 1
Level 1

trailing slash is important for admin.

Admin ->  all/admin/

Read only ->  all//read-all

 

Hi Yan

 

Just to clarify -  admin works as expected with all/admin/

 

However both "all//read-all", "all//admin" AV pairs give me correct read-only rights on APIC, but if I ssh to the leaf or spine it gives me the abovementioned webtoken error when I try to run 'show' commands.

 

Thanks

Miro

Hi,

 

Not sure, if you have referred to guide:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/security/b-Cisco-APIC-Security-Configuration-Guide-411/b-Cisco-APIC-Security-Configuration-Guide-411_chapter_0100.html

There is a NOTE at the very top:

"

Remote users for AAA Authentication with shell:domains=all/read-all/ will not be able to access Leaf switches and Spine switches in the fabric for security purposes. This pertains to all version up to 4.0(1h).

"

 

And I can confirm that I do see same behavior even with APIC version 4.1(1j).

 

So looks to me that ReadOnly for Spine/Leaf switches would needs to be configured as Custom role and privileges.

:-) 

/Martin

To authorize SSH read-only to Spines and Leafs I use this syntax in Cisco ISE. This works on 3.6, 4.1.1i and 4.1.1k

 

shell:domains = all//admin|read-all 

Thanks, kind of this works. Just to specify in more details even though it might appear as RO access to Spine/Leaf switches then even with RW rights nothing can be configured on them as they are fully controlled by APIC.

 

But we finalized RW/RO access permissions to APIC and Leaf/Spine switches, so fine with me :-)

 

/Martin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: