AAA & RBAC ACI

Default fallback login

APIC GUI: apic:fallback\\admin

APIC CLI: apic#fallback\\admin

Step 1 : Create a TACAS+ Provider Group

2) Create a Login Domain

3) Add Providers as TACAS server in step 1

4) Login with Tacas user account

5) Also set default authentication as TACAS

Troubleshooting the TACAS config issue

1) Verify TACACS Server Reachability from a Leaf Switch

leaf101# iping -V management 1.1.1.1

2) A tcpdump can be performed on the eth0 interface for out-of-band traffic or kpm_inb for in-band traffic.  

fab2-leaf101# tcpdump -i eth0 "host 1.1.1.1"

3) Check config on APIC

apic# show running-config aaa

server 192.168.3.129 priority 1

exit

  aaa authentication login console

exit

  aaa authentication login default

    realm TACACS

group tacas

exit

  aaa authentication login domain fallback

exit

  aaa authentication login domain TACACS

realm TACACS

group tacas-1

exit

apic1# show running-config all TACACS-server host 1.1.1.1

 TACACS-server host "1.1.1.1"

 retries 1

 timeout 5

 port 49

protocol pap

 key ""

 exit

4) Check config on leaf

leaf101# show TACACS-server groups

total number of groups:1

following TACACS+ server groups are configured:

     group tacas:

             server: 1.1.1.1 on port 49

             deadtime is 0

leaf101# show aaa authentication

         default: group tacas

     console: N/A

leaf101# pwd

/mit/uni/userext/TACACSext/TACACSplusprovider-1.1.1.1

leaf101# cat summary

# TACACS+ Provider

name : 1.1.1.1

authProtocol : pap

childAction :

descr :

dn : uni/userext/TACACSext/TACACSplusprovider- 1.1.1.1

epgDn : uni/tn-mgmt/mgmtp-default/oob-default

key :

lcOwn : resolveOnBehalf

modTs : 2023-11-15T19:57:08.303-04:00

monPolDn : uni/fabric/monfab-default

monitorServer : disabled

monitoringPassword :

monitoringUser : test

operState : operable

ownerKey :

ownerTag :

port : 49

retries : 1

rn : TACACSplusprovider-1.1.1.1

snmpIndex : 1

status :

timeout : 5

uid : 15364

vrfName : management

5) Logs on leaf

leaf101# egrep 1.1.1.1 /var/log/dme/log/nginx.log | more

4852||16-05-16 11:15:13.576-04:00||aaa||DBG4||||Received response from 1.1.1.1 - notifying callback handler (IPv4)||../dme/svc/extXMLApi/src/gen/ifc/app/./ping/lib_ifc_ping.cc||756

4852||16-05-16 11:15:13.576-04:00||aaa||DBG4||||Received update on status of 1.1.1.1 (DN uni/userext/TACACSext/TACACSplusprovider-1.1.1.1) - status is ALIVE||../dme/svc/extXMLApi/src/gen/ifc/app/./pam/PamWorker.cc||1429

leaf101# moquery -c aaaDefaultAuth

Total Objects shown: 1

# aaa.DefaultAuth

childAction :

descr :

dn : uni/userext/authrealm/defaultauth

lcOwn : resolveOnBehalf

modTs : 2023-11-16T11:23:56.288-04:00

name :

ownerKey :

ownerTag :

providerGroup : tacas

realm : TACACS

rn : defaultauth

status :

uid : 0

Tenant Admin can't add or remove switch. Let's a new leaf has to be added than it has to be done by fabric admin.

Roles, Privileges and Security Domains

Users are configured with Roles and that role has some priviledges which are assigned to the user.

So let's say JaneS has been assigned role called "fabric-admin" which has privilege for "fabric-equipment" which has read access to fabric.

Roles are names as per privilege associated with it.

Security Domains

Tags associated with subtrees of the ACI object hierarchy.

Example: domain tag "common" for the default tenant "common".

Only certain objects permit tagging.

all - every object in ACI

"mgmt.." - all fabric infrastructure objects.

How to Integrate NDO with ISE in Cisco ACI

Background:

• NDO (Nexus Dashboard Orchestrator) is used for multi-site orchestration across multiple ACI fabrics.

• ISE (Identity Services Engine) provides identity-based security (authentication, authorization, user-based policies).

• Integrating NDO with ISE allows Dynamic Endpoint Identity information (like user identity, endpoint posture, location) to be shared across multiple ACI sites — enforcing consistent policies.

  
  

High-Level Steps:

1. Prerequisites

• Cisco ISE version 2.6+ or 3.x.

• ACI fabrics running a version that supports ISE integration (usually ACI 4.2+).

• NDO deployed and running (linked to your ACI sites).

• ISE configured with PxGrid and ERS (External RESTful Services) enabled.

• Certificates exchanged between NDO and ISE (because secure communication is mandatory).

  
  

2. Configure ISE (PxGrid and ERS)

On Cisco ISE:

• Enable pxGrid Services:

  • Go to Administration > pxGrid Services and enable pxGrid.

• Enable ERS (External RESTful Services) API access:

  • Go to Administration > Settings > ERS Settings and enable it.

• Create a pxGrid Client (this is where NDO will authenticate).

• Download the pxGrid Node certificate (you'll need this on NDO)

  
  

3. Prepare NDO for Integration

On Nexus Dashboard Orchestrator (NDO):

• Log in to NDO.

• Navigate to:

  • Policies > Infrastructure > ISE Integration (path might slightly vary based on NDO version).

    
    

4. Add ISE Server in NDO

In NDO:

• Click Add > ISE Integration.

• Provide:

  • ISE IP address / FQDN.

  • pxGrid Username and Password (credentials from ISE).

  • Upload ISE pxGrid Certificate.

• Select Sites (ACI Fabrics) where you want to share identity-based policies.

  
  

5. Map Identity Groups to Contracts (Optional but important)

• You can map ISE Endpoint Identity Groups (like "Contractor", "Employee", "BYOD") to ACI EPGs (Endpoint Groups).

• This allows dynamic security enforcement based on identity across sites.

6. Verify Integration

• On NDO, verify that:

  • ISE connection is successful (green status).

  • ISE endpoint identities are getting synchronized.

• On ACI, check that:

  • Identity-based contracts are enforced.

  • Endpoints dynamically move between EPGs based on user or device attributes.

Key Commands (Optional CLI Debugging)

• Check pxGrid service status on ISE:

  show application status ise

• Verify endpoint learning on ACI fabric:

  show endpoint identity all

• Verify NDO to ISE connection (NDO GUI shows it).
  

Note :

• Certificate trust is mandatory — NDO must trust ISE certificates

  
  
  
  

RBAC

1. Security Domain assigned to user admin is all

2. Default security Domains

3. There are Roles which provides various access common is admin , tenant-admin & tenant-ext-admin.

4. RBAC rules.

Now Let's say we want a local user "user1" to grant full access to a tenant "Monu" and also read only access to fabric.

Steps 1: Create Security Domain . To keep things let's create fabric & Monu.

Step 2 : Create RBAC Rules

Note : "Allow Write" has to be marked yes if you want user to make changes as without it user doesn't have "MO"access and won't be able to make changes even with write permission.

Step 3 : Roles we are going to use is admin for both fabric as well as Monu tenanat.

Step 4 : Create user "user1" and assign security domain fabric & Monu (Common is by default)

Here on domain "Monu" admin-write privileges are there but for fabric it's "admin read".

Step 5 : Now log in with "user1"

References :

https://www.cisco.com/c/en/us/td/docs/dcn/nd/2x/user-guide-22/cisco-nexus-dashboard-user-guide-221/administrative.html#_adding_radius_or_tacacs_as_remote_authentication_provider