Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

27.tacacs Configuration in Aci - Learn Work It

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

LEARN WORK IT

INFORMATION TECHNOLO GY (NE T WORK )

C I S C O ACI BLO GS VMWARE N SX BLO G S CISCO ROUT ING B LO G

C I S CO SW ITCHIN G BLO G IT INS TITU TES CONTACT US

TERMS & CONDIT ION

27.TACACS
CONFIGURATION
IN ACI
 AUGUST 2, 2021  LEAVE A COMMENT

TACACS CONFIGURATION IN
ACI
The Cisco Application Centric Infrastructure (ACI) fabric
is installed, fabric discovery is complete, Application
Policy Infrastructure Controllers (APICs) are online, and
the APIC cluster is formed and healthy, there is In-
Band/Out-of-Band connectivity to the APIC controllers
and fabric switches, and In-Band/Out-of-Band contracts
are con�gured that allow ICMP and default TACACS
ports UDP 49 and TCP 49.

The TACACS+ server host name or IP address, port, and


key are available, and that you can ping your TACACS
server from the APICs and fabric switches you are
trying to authenticate from.

The APIC management endpoint group is available.

Con�guring APIC for TACACS+


Access

Before you begin

• The Cisco Application Centric Infrastructure (ACI)


fabric is installed, Application Policy Infrastructure
Controllers (APICs) are online, and the APIC cluster is
formed and healthy.
• The TACACS+ server host name or IP address, port,
and key are available.
• The APIC management endpoint group is available.

Procedure

Step 1 In the APIC, create the TACACS+


Provider.
On the menu bar,
choose A
Ad m i n  > A
AA A .
In the Navigation pane,
choose T
TA C A C S +
M a n a g e m e n t  > T
TA C A C S +
Providers.
In the Work pane,
choose A
Ac t i o n s  > C
Cr e a t e
TA C A C S + P r o v i d e r .
Specify the TACACS+ host name (or IP
address), port, authorization protocol,
key, and management endpoint
group.

This is where we de�ne all of the TACACS


attributes used to connect to the TACACS
server:
I P A d d r e s s : This is the IP address of the TACACS
server Ex 172.16.65.29
P o r t :  This is the port used to connect to the TACACS
server. TACACS default is port 49
A u t h o r i z a t i o n P r o t o c o l :  This needs to match the
con�guration on the TACACS server which we will go
over later in the ACS and ISE con�guration
K e y :  This needs to match the con�guration on the
TACACS server which we will go over later in the ACS
and ISE con�guration
T i m e o u t :  The amount of time allowed for a login
attempt to occur before giving up (measured in
seconds)
R e t r i e s :  The number of automatic re-try login
attempts allowed for a single authentication
submission
M a n a g e m e n t E P G :  The management EPG used to
connect to the TACACS server. You will want to use the
Management EPG which has all the necessary
contracts in place
S e r v e r M o n i t o r i n g :  Used to determine if the TACACS
server is alive. This option uses the TACACS protocol
login to check if the TACACS server is alive

The next step is to create the TACACS Provider Group


and associate our newly created TACACS Provider. To
create the TACACS Provider Group navigate to the
following APIC web GUI path:

Admin -> AAA -> TACACS+ Management ->


TACACS+ Provider Groups
Right click TACACS+ Provider Groups and
select Create TACACS+ Provider Group

Create the Login Domain for


TACACS+.
In the Navigation pane, choose A
AA A
A u t h e n t i c a t i o n  > L
Lo g i n
Domains.
Step 2 In the Work pane,
choose A
Ac t i o n s  > C
Cr e a t e L o g i n
Domain.
Specify the login domain name,
description, realm, and provider
group as appropriate.

RIGHT CLICK LOGIN DOMAINS AND SELECT


CREATE LOGIN DOMAIN
AAA Con�guration

Navigate to the following Path

Admin -> AAA -> AAA Authentication

Change that to TACACS and select our newly


created TACACS Provider Group:
This will enable default TACACS authentication for the
APIC GUI and SSH sessions to APICs and fabric
switches.

N o t e :  Make sure to leave/set the Fallback


Check property to ff a l s e . Setting
the Fallback Check property to tt r u e  may
cause local logins to fail.

Look at our APIC login screen to see the


re�ected changes

You might also like