03-23-2018 02:08 PM - edited 02-21-2020 10:51 AM
Spine/Leaf Switches (Nx9k), giving me "Access denied Using keyboard-interactive authentication." message. When I check logs in ISE, it says that the authentication and authorization passed. In ISE, I have a single ACI Policy. That policy has both an "admin" and a "read only" profile.
The accounts under the admin profile log in fine, but not the Read-Only accounts. Also, the same Identity Group is used under other authorization policies and works.
I'm using shell:domains = all//read-all as the profile attribute
Thoughts???
Solved! Go to Solution.
06-12-2019 10:37 PM
Thanks, kind of this works. Just to specify in more details even though it might appear as RO access to Spine/Leaf switches then even with RW rights nothing can be configured on them as they are fully controlled by APIC.
But we finalized RW/RO access permissions to APIC and Leaf/Spine switches, so fine with me :-)
/Martin
03-25-2018 05:29 AM
What's the correct shell or av pair syntax, for a remote user with read-only access?
07-06-2018 07:21 AM
Hi,
Just wondering did you get this resolved? As I'm having exactly the same issue. Wen I put all//admin in my AV pair i'm able to login however getting the following error when I try running 'show' command on the leaf. Looks like a bug or undocumented behavior. I'm on version 3.1(1i) now.
<?xml version="1.0" encoding="UTF-8"?><imdata totalCount="1"><error code="403" text="Need a valid webtoken cookie (named APIC-Cookie) or a signed request with signature in the cookie APIC-Request-Signature for all REST API requests"/></imdata>
Thanks.
BR,
Miro
07-10-2018 10:53 AM
trailing slash is important for admin.
Admin -> all/admin/
Read only -> all//read-all
07-11-2018 01:35 AM
Hi Yan
Just to clarify - admin works as expected with all/admin/
However both "all//read-all", "all//admin" AV pairs give me correct read-only rights on APIC, but if I ssh to the leaf or spine it gives me the abovementioned webtoken error when I try to run 'show' commands.
Thanks
Miro
06-07-2019 04:01 AM
Hi,
Not sure, if you have referred to guide:
There is a NOTE at the very top:
"
Remote users for AAA Authentication with shell:domains=all/read-all/ will not be able to access Leaf switches and Spine switches in the fabric for security purposes. This pertains to all version up to 4.0(1h).
"
And I can confirm that I do see same behavior even with APIC version 4.1(1j).
So looks to me that ReadOnly for Spine/Leaf switches would needs to be configured as Custom role and privileges.
:-)
/Martin
06-07-2019 08:22 AM
To authorize SSH read-only to Spines and Leafs I use this syntax in Cisco ISE. This works on 3.6, 4.1.1i and 4.1.1k
shell:domains = all//admin|read-all
06-12-2019 10:37 PM
Thanks, kind of this works. Just to specify in more details even though it might appear as RO access to Spine/Leaf switches then even with RW rights nothing can be configured on them as they are fully controlled by APIC.
But we finalized RW/RO access permissions to APIC and Leaf/Spine switches, so fine with me :-)
/Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide