Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
0
Helpful
6
Replies

TACACS Role for ND and NDFC not working with one av-pair

BigDalton
Level 1
Level 1

‎10-15-2023 08:20 PM

According to configuration guide, the new version of NDFC and ND have RBAC configured all in ND admin console, and ND "admin" is treated as NDFC "network-admin" too. But in my ND 3.0.1 and NDFC 12.1.3 setup, one role does not give access to both ND and NDFC.

If I return TACACS cisco-av-pair with shell:role="admin", I can access ND but not NDFC. If I change it to shell:role="network-admin", then I can access NDFC not ND admin console.

I tried to manipulate attribute value but with no luck getting it working for both ND and NDFC access. Is the guide wrong, or I missed something?

0 Helpful
6 Replies 6

rohandec1980
Level 1
Level 1

‎10-31-2023 04:08 PM

Hello Mate

I am building a NDFC multisite fabric and need to enable AAA. Seeing you have done that, would like to ask some queries around that, if it's okay with you:

1. What documentation did you refer to enable AAA on the NDFC? 

2. Did you enable AAA on the switches first and then on the NDFC? if so what user credentials NDFC uses when it pushes out configuration to the switches?

Regards

Rohan

 

 

0 Helpful

BigDalton
Level 1
Level 1
In response to rohandec1980

‎11-05-2023 07:28 PM

Hi Rohan,

My question is about AAA for the ND/NDFC appliances, not AAA for the managed switches.

I have not checked switch AAA in NDFC yet, but I think that would be pushed by NDFC to the switch using templates still. A local credential is still needed for inital switch discovery and config push.

0 Helpful

John Cui
Cisco Employee
Cisco Employee

‎11-05-2023 07:09 PM

Hi,

Could you please have a try with TACACS cisco-av-pair of "shell:domains=all/network-admin/"?

This will grant ND admin permission, and "all" means entire NDFC security domain.

If you need specify particular security domain, you need change it accordingly. 

Please refer following guide for your deployment.

https://www.cisco.com/c/dam/en/us/td/docs/dcn/ndfc/1213/articles/ndfc-security-domains/configuring-security-domains.pdf

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco NDFC (previously known as DCNM) through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

 

Thanks

 

0 Helpful

BigDalton
Level 1
Level 1
In response to John Cui

‎11-05-2023 07:23 PM

Hi John,

I just tested the av-pair you suggested in our TACACS server:

BigDalton_0-1699240941436.png

This gives no access to either ND nor NDFC:

BigDalton_1-1699241009895.png

 

 

0 Helpful

John Cui
Cisco Employee
Cisco Employee
In response to BigDalton

‎11-05-2023 10:42 PM

Hi, 

Could you try to test some with following format? 

ndfc.png

If still not work, would be good to query with TAC engineer.

 

0 Helpful

BigDalton
Level 1
Level 1
In response to John Cui

‎11-06-2023 03:22 PM

Hi John,

When using shell:domains in the config, I can't even select NDFC from the ND dropdown list. But when using shell:roles at least I can choose either admin for ND or network-admin for NDFC. I'm not sure why shell:domains does not work despite the document says to use it. It looks like I will have to raise a TAC case to get the answer. Thanks for taking the time to look into this issue for me.

0 Helpful
Customers Also Viewed These Support Documents