cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1876
Views
0
Helpful
6
Replies

ACI TACACS

stephendrkw
Participant
Participant

Hi, I configured TACACS on my APIC controllers (Admin>AAA) and I can now login successfully using TACACS onto each of my 3 APIC controllers, problem I have now is when I ssh from any APIC to a leaf or spine switch or go directly I can no longer login even with the Switch local admin account!

 

Am I missing a parameter somewhere specifically in regards to Tennant or Fabric TACACS/Security configuration 

I'm running 4.2(6d) on the entire fabric.

 

 

 

 

6 REPLIES 6

6askorobogatov
Beginner
Beginner

Assuming your TACACS domain calls TACACS (check on APIC GUI :  admin > AAA > Authentication > Login Domains )

and leaf IP is 1.2.3.4

# ssh apic#TACACS\\yourusername@1.2.3.4 

For the local ID login

# ssh apic#fallback\\admin@1.2.3.4

 

 

 

 

Hi no luck!

Yes Domain is called TACACS

 

I tried both commands which worked fine from the APIC but access denied with both passwords

So I can login to the APIC's fine with TACACS but not leafs or spines.

 

 

it should work, if your leaf have access to the TACACS server.  First check what APIC is using: System > system settings > APIC connectivity preference 

Then verify if leafs. INB or OOB can get to TACACS.    

One more, fallback admin should work regardless of TACACS. 

 

 

Config was INB changed to OOB, still no luck.

 

I might open a TAC for this issue.

After checking our ACS Server, AAA authentication is working fine but AAA authorisation is not working.....I can only think that a specific av-pair needs to be added to ACS for the ACI leafs and spines. Just don't know what that could be.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: