10-15-2023 08:20 PM
According to configuration guide, the new version of NDFC and ND have RBAC configured all in ND admin console, and ND "admin" is treated as NDFC "network-admin" too. But in my ND 3.0.1 and NDFC 12.1.3 setup, one role does not give access to both ND and NDFC.
If I return TACACS cisco-av-pair with shell:role="admin", I can access ND but not NDFC. If I change it to shell:role="network-admin", then I can access NDFC not ND admin console.
I tried to manipulate attribute value but with no luck getting it working for both ND and NDFC access. Is the guide wrong, or I missed something?
10-31-2023 04:08 PM
Hello Mate
I am building a NDFC multisite fabric and need to enable AAA. Seeing you have done that, would like to ask some queries around that, if it's okay with you:
1. What documentation did you refer to enable AAA on the NDFC?
2. Did you enable AAA on the switches first and then on the NDFC? if so what user credentials NDFC uses when it pushes out configuration to the switches?
Regards
Rohan
11-05-2023 07:28 PM
Hi Rohan,
My question is about AAA for the ND/NDFC appliances, not AAA for the managed switches.
I have not checked switch AAA in NDFC yet, but I think that would be pushed by NDFC to the switch using templates still. A local credential is still needed for inital switch discovery and config push.
11-05-2023 07:09 PM
Hi,
Could you please have a try with TACACS cisco-av-pair of "shell:domains=all/network-admin/"?
This will grant ND admin permission, and "all" means entire NDFC security domain.
If you need specify particular security domain, you need change it accordingly.
Please refer following guide for your deployment.
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Cisco NDFC (previously known as DCNM) through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
Thanks
11-05-2023 07:23 PM
Hi John,
I just tested the av-pair you suggested in our TACACS server:
This gives no access to either ND nor NDFC:
11-05-2023 10:42 PM
Hi,
Could you try to test some with following format?
If still not work, would be good to query with TAC engineer.
11-06-2023 03:22 PM
Hi John,
When using shell:domains in the config, I can't even select NDFC from the ND dropdown list. But when using shell:roles at least I can choose either admin for ND or network-admin for NDFC. I'm not sure why shell:domains does not work despite the document says to use it. It looks like I will have to raise a TAC case to get the answer. Thanks for taking the time to look into this issue for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide