top of page
Writer's pictureMukesh Chanderia

AAA & RBAC ACI

Updated: Apr 25

Default fallback login


APIC GUI: apic:fallback\\admin

APIC CLI: apic#fallback\\admin


Step 1 : Create a TACAS+ Provider Group



2) Create a Login Domain



3) Add Providers as TACAS server in step 1



4) Login with Tacas user account



5) Also set default authentication as TACAS




Troubleshooting the TACAS config issue


1) Verify TACACS Server Reachability from a Leaf Switch


leaf101# iping -V management 1.1.1.1


2) A tcpdump can be performed on the eth0 interface for out-of-band traffic or kpm_inb for in-band traffic.  


fab2-leaf101# tcpdump -i eth0 "host 1.1.1.1"


3) Check config on APIC


apic# show running-config aaa


server 192.168.3.129 priority 1

exit

  aaa authentication login console

exit

  aaa authentication login default

    realm TACACS

group tacas

exit

  aaa authentication login domain fallback

exit

  aaa authentication login domain TACACS

realm TACACS

group tacas-1

exit


apic1# show running-config all TACACS-server host 1.1.1.1



 TACACS-server host "1.1.1.1"


 retries 1


 timeout 5


 port 49


protocol pap


 key ""


 exit



4) Check config on leaf


leaf101# show TACACS-server groups

total number of groups:1

 

following TACACS+ server groups are configured:

     group tacas:

             server: 1.1.1.1 on port 49

             deadtime is 0

 

leaf101# show aaa authentication

         default: group tacas

     console: N/A





leaf101# pwd

/mit/uni/userext/TACACSext/TACACSplusprovider-1.1.1.1

leaf101# cat summary

# TACACS+ Provider

name : 1.1.1.1

authProtocol : pap

childAction :

descr :

dn : uni/userext/TACACSext/TACACSplusprovider- 1.1.1.1

epgDn : uni/tn-mgmt/mgmtp-default/oob-default

key :

lcOwn : resolveOnBehalf

modTs : 2023-11-15T19:57:08.303-04:00

monPolDn : uni/fabric/monfab-default

monitorServer : disabled

monitoringPassword :

monitoringUser : test

operState : operable

ownerKey :

ownerTag :

port : 49

retries : 1

rn : TACACSplusprovider-1.1.1.1

snmpIndex : 1

status :

timeout : 5

uid : 15364

vrfName : management


5) Logs on leaf


leaf101# egrep 1.1.1.1 /var/log/dme/log/nginx.log | more

4852||16-05-16 11:15:13.576-04:00||aaa||DBG4||||Received response from 1.1.1.1 - notifying callback handler (IPv4)||../dme/svc/extXMLApi/src/gen/ifc/app/./ping/lib_ifc_ping.cc||756

4852||16-05-16 11:15:13.576-04:00||aaa||DBG4||||Received update on status of 1.1.1.1 (DN uni/userext/TACACSext/TACACSplusprovider-1.1.1.1) - status is ALIVE||../dme/svc/extXMLApi/src/gen/ifc/app/./pam/PamWorker.cc||1429


leaf101# moquery -c aaaDefaultAuth

Total Objects shown: 1

# aaa.DefaultAuth

childAction :

descr :

dn : uni/userext/authrealm/defaultauth

lcOwn : resolveOnBehalf

modTs : 2023-11-16T11:23:56.288-04:00

name :

ownerKey :

ownerTag :

providerGroup : tacas

realm : TACACS

rn : defaultauth

status :

uid : 0




Tenant Admin can't add or remove switch. Let's a new leaf has to be added than it has to be done by fabric admin.




Roles, Privileges and Security Domains




Users are configured with Roles and that role has some priviledges which are assigned to the user.




So let's say JaneS has been assigned role called "fabric-admin" which has privilege for "fabric-equipment" which has read access to fabric.



Roles are names as per privilege associated with it.




Security Domains


Tags associated with subtrees of the ACI object hierarchy.


Example: domain tag "common" for the default tenant "common".


Only certain objects permit tagging.


all - every object in ACI


"mgmt.." - all fabric infrastructure objects.


RBAC


  1. Security Domain assigned to user admin is all



2. Default security Domains



3. There are Roles which provides various access common is admin , tenant-admin & tenant-ext-admin.



4. RBAC rules.




Now Let's say we want a local user "user1" to grant full access to a tenant "Monu" and also read only access to fabric.


Steps 1: Create Security Domain . To keep things let's create fabric & Monu.



Step 2 : Create RBAC Rules




Note : "Allow Write" has to be marked yes if you want user to make changes as without it user doesn't have "MO"access and won't be able to make changes even with write permission.


Step 3 : Roles we are going to use is admin for both fabric as well as Monu tenanat.


Step 4 : Create user "user1" and assign security domain fabric & Monu (Common is by default)



Here on domain "Monu" admin-write privileges are there but for fabric it's "admin read".


Step 5 : Now log in with "user1"




44 views0 comments

Recent Posts

See All

Comments


bottom of page