cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3223
Views
0
Helpful
7
Replies
Highlighted
Beginner

ACI Spine and Leaf TACACS Authentication to ISE

   Spine/Leaf Switches (Nx9k), giving me "Access denied Using keyboard-interactive authentication." message. When I check logs in ISE, it says that the authentication and authorization passed. In ISE, I have a single ACI Policy. That policy has both an "admin" and a "read only" profile.

    The accounts under the admin profile log in fine, but not the Read-Only accounts. Also, the same Identity Group is used under other authorization policies and works.

I'm using shell:domains = all//read-all as the profile attribute

 

Thoughts???

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: ACI Spine and Leaf TACACS Authentication to ISE

Thanks, kind of this works. Just to specify in more details even though it might appear as RO access to Spine/Leaf switches then even with RW rights nothing can be configured on them as they are fully controlled by APIC.

 

But we finalized RW/RO access permissions to APIC and Leaf/Spine switches, so fine with me :-)

 

/Martin

View solution in original post

7 REPLIES 7
Highlighted
Beginner

Re: ACI Spine and Leaf TACACS Authentication to ISE

What's the correct shell or av pair syntax, for a remote user with read-only access?

Highlighted
Beginner

Re: ACI Spine and Leaf TACACS Authentication to ISE

Hi,

 

Just wondering did you get this resolved? As I'm having exactly the same issue. Wen I put all//admin in my AV pair i'm able to login however getting the following error when I try running 'show' command on the leaf.  Looks like a bug or undocumented behavior. I'm on version 3.1(1i) now.

 

 <?xml version="1.0" encoding="UTF-8"?><imdata totalCount="1"><error code="403" text="Need a valid webtoken cookie (named APIC-Cookie) or a signed request with signature in the cookie APIC-Request-Signature for all REST API requests"/></imdata>

 

Thanks.

 

BR,

Miro 

Highlighted
Beginner

Re: ACI Spine and Leaf TACACS Authentication to ISE

trailing slash is important for admin.

Admin ->  all/admin/

Read only ->  all//read-all

 

Highlighted
Beginner

Re: ACI Spine and Leaf TACACS Authentication to ISE

Hi Yan

 

Just to clarify -  admin works as expected with all/admin/

 

However both "all//read-all", "all//admin" AV pairs give me correct read-only rights on APIC, but if I ssh to the leaf or spine it gives me the abovementioned webtoken error when I try to run 'show' commands.

 

Thanks

Miro

Highlighted
Beginner

Re: ACI Spine and Leaf TACACS Authentication to ISE

Hi,

 

Not sure, if you have referred to guide:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/security/b-Cisco-APIC-Security-Configuration-Guide-411/b-Cisco-APIC-Security-Configuration-Guide-411_chapter_0100.html

There is a NOTE at the very top:

"

Remote users for AAA Authentication with shell:domains=all/read-all/ will not be able to access Leaf switches and Spine switches in the fabric for security purposes. This pertains to all version up to 4.0(1h).

"

 

And I can confirm that I do see same behavior even with APIC version 4.1(1j).

 

So looks to me that ReadOnly for Spine/Leaf switches would needs to be configured as Custom role and privileges.

:-) 

/Martin

Everyone's tags (5)
Highlighted
Beginner

Re: ACI Spine and Leaf TACACS Authentication to ISE

To authorize SSH read-only to Spines and Leafs I use this syntax in Cisco ISE. This works on 3.6, 4.1.1i and 4.1.1k

 

shell:domains = all//admin|read-all 

Highlighted
Beginner

Re: ACI Spine and Leaf TACACS Authentication to ISE

Thanks, kind of this works. Just to specify in more details even though it might appear as RO access to Spine/Leaf switches then even with RW rights nothing can be configured on them as they are fully controlled by APIC.

 

But we finalized RW/RO access permissions to APIC and Leaf/Spine switches, so fine with me :-)

 

/Martin

View solution in original post