cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ACI APIC TACACS Authentication to 2.x ISE

631
Views
5
Helpful
2
Comments
Beginner

From the documentation below, APIC tacacs or RADIUS  Key (I assumed it's called Shared Secret on the 2.x ISE server) "needs to match the configuration on the TACACS server which we will go over later in the ACS and ISE configuration.  I see the key is configured on the ISE, under TACACS section, but I see a blank on the APIC GUI (Admin->AAA->TACACS+ Management->TACACS+ Provider).  

 

I have no issue connecting to the APIC, via CLI and browser.  Why is that?  I thought key needs to be matched on both ISE and APIC, basing on Cisco documentaton.

 

Another question is, can I set APIC Key and Confirm Key on the APIC (under TACACS+ Provider section) via REST API, or CLI, as opposed to the APIC GUI?  If so, please point me to Cisco documentations for both API and CLI.  

 

Thanks.

Peter

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_ACI-TACACS-config.html

 

 

 

2 Comments
Beginner

Maybe the Key on the APIC GUI is masked out for security reason?  I wonder if there is a way to show it, if it's masked.

 


@pn2020 wrote:

From the documentation below, APIC tacacs or RADIUS  Key (I assumed it's called Shared Secret on the 2.x ISE server) "needs to match the configuration on the TACACS server which we will go over later in the ACS and ISE configuration.  I see the key is configured on the ISE, under TACACS section, but I see a blank on the APIC GUI (Admin->AAA->TACACS+ Management->TACACS+ Provider).  

 

I have no issue connecting to the APIC, via CLI and browser.  Why is that?  I thought key needs to be matched on both ISE and APIC, basing on Cisco documentaton.

 

 

 

 




Beginner

You can run below command on apic and get cli commands

show running-config aaa

 

You can refer to rest guide to do the same via api

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/rest_cfg/2_1_x/b_Cisco_APIC_REST_API_Configuration_Guide.pdf

Maybe the key is indeed hidden (similar to how we see * in place of key in cli) but we would need someone from Cisco to confirm

Content for Community-Ad