Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
2473
Views
5
Helpful
2
Comments

ACI APIC TACACS Authentication to 2.x ISE

pn2020
Level 1
Level 1
‎06-07-2020 11:33 AM

From the documentation below, APIC tacacs or RADIUS  Key (I assumed it's called Shared Secret on the 2.x ISE server) "needs to match the configuration on the TACACS server which we will go over later in the ACS and ISE configuration.  I see the key is configured on the ISE, under TACACS section, but I see a blank on the APIC GUI (Admin->AAA->TACACS+ Management->TACACS+ Provider).  

 

I have no issue connecting to the APIC, via CLI and browser.  Why is that?  I thought key needs to be matched on both ISE and APIC, basing on Cisco documentaton.

 

Another question is, can I set APIC Key and Confirm Key on the APIC (under TACACS+ Provider section) via REST API, or CLI, as opposed to the APIC GUI?  If so, please point me to Cisco documentations for both API and CLI.  

 

Thanks.

Peter

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_ACI-TACACS-config.html

 

 

 

0 Helpful
2 Comments
pn2020
Level 1
Level 1
‎06-08-2020 08:01 AM
‎06-08-2020 08:01 AM

Maybe the Key on the APIC GUI is masked out for security reason?  I wonder if there is a way to show it, if it's masked.

 

@pn2020 wrote:

From the documentation below, APIC tacacs or RADIUS  Key (I assumed it's called Shared Secret on the 2.x ISE server) "needs to match the configuration on the TACACS server which we will go over later in the ACS and ISE configuration.  I see the key is configured on the ISE, under TACACS section, but I see a blank on the APIC GUI (Admin->AAA->TACACS+ Management->TACACS+ Provider).  

 

I have no issue connecting to the APIC, via CLI and browser.  Why is that?  I thought key needs to be matched on both ISE and APIC, basing on Cisco documentaton.

 

 

 

 



0 Helpful
yogesh2009
Level 1
Level 1
‎06-25-2020 01:11 PM
‎06-25-2020 01:11 PM

You can run below command on apic and get cli commands

show running-config aaa

 

You can refer to rest guide to do the same via api

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/rest_cfg/2_1_x/b_Cisco_APIC_REST_API_Configuration_Guide.pdf

Maybe the key is indeed hidden (similar to how we see * in place of key in cli) but we would need someone from Cisco to confirm

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents