Default fallback login
APIC GUI: apic:fallback\\admin
APIC CLI: apic#fallback\\admin
Step 1 : Create a TACAS+ Provider Group
2) Create a Login Domain
3) Add Providers as TACAS server in step 1
4) Login with Tacas user account
5) Also set default authentication as TACAS
Troubleshooting the TACAS config issue
1) Verify TACACS Server Reachability from a Leaf Switch
leaf101# iping -V management 1.1.1.1
2) A tcpdump can be performed on the eth0 interface for out-of-band traffic or kpm_inb for in-band traffic.
fab2-leaf101# tcpdump -i eth0 "host 1.1.1.1"
3) Check config on APIC
apic# show running-config aaa
server 192.168.3.129 priority 1
exit
aaa authentication login console
exit
aaa authentication login default
realm TACACS
group tacas
exit
aaa authentication login domain fallback
exit
aaa authentication login domain TACACS
realm TACACS
group tacas-1
exit
apic1# show running-config all TACACS-server host 1.1.1.1
TACACS-server host "1.1.1.1"
retries 1
timeout 5
port 49
protocol pap
key ""
exit
4) Check config on leaf
leaf101# show TACACS-server groups
total number of groups:1
following TACACS+ server groups are configured:
group tacas:
server: 1.1.1.1 on port 49
deadtime is 0
leaf101# show aaa authentication
default: group tacas
console: N/A
leaf101# pwd
/mit/uni/userext/TACACSext/TACACSplusprovider-1.1.1.1
leaf101# cat summary
# TACACS+ Provider
name : 1.1.1.1
authProtocol : pap
childAction :
descr :
dn : uni/userext/TACACSext/TACACSplusprovider- 1.1.1.1
epgDn : uni/tn-mgmt/mgmtp-default/oob-default
key :
lcOwn : resolveOnBehalf
modTs : 2023-11-15T19:57:08.303-04:00
monPolDn : uni/fabric/monfab-default
monitorServer : disabled
monitoringPassword :
monitoringUser : test
operState : operable
ownerKey :
ownerTag :
port : 49
retries : 1
rn : TACACSplusprovider-1.1.1.1
snmpIndex : 1
status :
timeout : 5
uid : 15364
vrfName : management
5) Logs on leaf
leaf101# egrep 1.1.1.1 /var/log/dme/log/nginx.log | more
4852||16-05-16 11:15:13.576-04:00||aaa||DBG4||||Received response from 1.1.1.1 - notifying callback handler (IPv4)||../dme/svc/extXMLApi/src/gen/ifc/app/./ping/lib_ifc_ping.cc||756
4852||16-05-16 11:15:13.576-04:00||aaa||DBG4||||Received update on status of 1.1.1.1 (DN uni/userext/TACACSext/TACACSplusprovider-1.1.1.1) - status is ALIVE||../dme/svc/extXMLApi/src/gen/ifc/app/./pam/PamWorker.cc||1429
leaf101# moquery -c aaaDefaultAuth
Total Objects shown: 1
# aaa.DefaultAuth
childAction :
descr :
dn : uni/userext/authrealm/defaultauth
lcOwn : resolveOnBehalf
modTs : 2023-11-16T11:23:56.288-04:00
name :
ownerKey :
ownerTag :
providerGroup : tacas
realm : TACACS
rn : defaultauth
status :
uid : 0
Tenant Admin can't add or remove switch. Let's a new leaf has to be added than it has to be done by fabric admin.
Roles, Privileges and Security Domains
Users are configured with Roles and that role has some priviledges which are assigned to the user.
So let's say JaneS has been assigned role called "fabric-admin" which has privilege for "fabric-equipment" which has read access to fabric.
Roles are names as per privilege associated with it.
Security Domains
Tags associated with subtrees of the ACI object hierarchy.
Example: domain tag "common" for the default tenant "common".
Only certain objects permit tagging.
all - every object in ACI
"mgmt.." - all fabric infrastructure objects.
RBAC
Security Domain assigned to user admin is all
2. Default security Domains
3. There are Roles which provides various access common is admin , tenant-admin & tenant-ext-admin.
4. RBAC rules.
Now Let's say we want a local user "user1" to grant full access to a tenant "Monu" and also read only access to fabric.
Steps 1: Create Security Domain . To keep things let's create fabric & Monu.
Step 2 : Create RBAC Rules
Note : "Allow Write" has to be marked yes if you want user to make changes as without it user doesn't have "MO"access and won't be able to make changes even with write permission.
Step 3 : Roles we are going to use is admin for both fabric as well as Monu tenanat.
Step 4 : Create user "user1" and assign security domain fabric & Monu (Common is by default)
Here on domain "Monu" admin-write privileges are there but for fabric it's "admin read".
Step 5 : Now log in with "user1"
Comments