Configure APIC for Device Administration with ISE and TACACS+

Available Languages

Download Options

  • PDF     (2.6 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.7 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.3 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 28, 2023
Document ID:220433

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the procedure to integrate APIC with ISE for administrator users authentication with TACACS+ Protocol.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Application Policy Infrastructure Controller (APIC)
    • Identity Services Engine (ISE)
    • TACACS protocol

    Components Used

    The information in this document is based on these software and hardware versions:

    • APIC version 4.2(7u)
    • ISE version 3.2 Patch 1

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Network Diagram

    Integration DiagramIntegration Diagram

    Authentication Procedure

    Step 1.Log into the APIC application with Admin User Credentials.

    Step 2. The authentication process triggers and ISE validates the credentials locally or through Active Directory.

    Step 3. Once authentication is successful, ISE sends a permit packet to authorize access to the APIC.

    Step 4. ISE shows a successful authentication live log.

    Note: APIC replicates TACACS+ configuration to leaf switches that are part of the fabric.

    APIC Configuration

    Step 1. Navigate to  Admin > AAA > Authentication > AAA  and choose  + icon in order to create a new login domain.

    APIC Login Admin ConfigurationAPIC login admin configuration

    Step 2. Define a name and realm for the new Login Domain and click + under Providers in order to create a new provider.

    APIC Login AdminAPIC login admin

    APIC TACACS ProviderAPIC TACACS Provider

    Step 3. Define the ISE IP address or hostname, define a shared secret, and choose the management Endpoint Policy Group (EPG). Click  Submit   in order to add TACACS+ Provider to login admin.

    APIC TACACS Provider SettingsAPIC TACACS Provider settings

    Create Login Domain

    TACACS Provider ViewTACACS Provider view

    ISE Configuration

    Step 1. Navigate to  > Administration > Network Resources > Network Device Groups. Create a Network Device Group under All Device Types.

    ISE Network Device GroupsISE Network Device Groups

    Step 2. Navigate to  Administration > Network Resources > Network Devices. Choose Add define APIC Name and IP address, choose APIC under Device Type and TACACS+ checkbox, and define the password used on APIC TACACS+ Provider configuration. Click  Submit.

    ISE Network Devices

    Repeat Step 1. and Step 2. for leaf switches.

    Step 3. Use the instructions on this link in order to Integrate ISE with Active Directory; 

    https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217351-ad-integration-for-cisco-ise-gui-and-cli.html.

    note-icon

    Note: This document includes both Internal users and AD Administrator groups as identity sources, however, the test is performed with the Identity Source of the internal users. The result is the same for AD groups.

    Step 4. (Optional) Navigate to > Administration > Identity Management > Groups. Choose  User Identity Groups and click  Add. Create one group for read only Admin users and Admin users.

    Identity GroupIdentity Group

    Step 5. (Optional) Navigate to > Administration > Identity Management > Identity.  Click Add  and create one  Read Only Admin  user and  Admin  user. Assign each user to each group created in Step 4.

    ISE Identity Management

    Step 6. Navigate to > Administration > Identity Management > Identity Source Sequence. Choose Add, define a name, and choose  AD Join Points  and  Internal Users  Identity Source from the list. Choose  Treat as if the user was not found and proceed to the next store in the sequence under  Advanced Search List Settings and click  Save.

    Identity Source SequenceIdentity Source Sequence

    7. Navigate to ☰ > Work Centers > Device Administration > Policy Elements > Results > Allowed Protocols.  Select Add, define a name and uncheck Allow CHAP and Allow MS-CHAPv1 from Authentication protocol list. Select Save.

    TACACS Allow ProtocolTACACS Allow Protocol

    8. Navigate to > Work Centers > Device Administration > Policy Elements > Results > TACACS Profile. Click  add  and create two profiles based on the attributes on the list under  Raw View. Click  Save.

    • Admin User: cisco-av-pair=shell:domains=all/admin/
    • Read Only Admin User: cisco-av-pair=shell:domains=all//read-all
    note-icon

    Note: In case of space or additional characters, the authorization phase fails.

    TACACS ProfileTACACS Profile

    TACACS Admin and Read Only Admin ProfilesTACACS Admin and ReadOnly Admin Profiles

    Step 9. Navigate to > Work Centers > Device Administration > Device Admin Policy Set . Create a New Policy Set, define a name, and choose the device type APIC  created in Step 1. Choose TACACS Protocol  created in Step 7. as allowed Protocol, and click  Save.

    TACACS Policy SetTACACS Policy Set

    Step 10. Under new Policy Set click the right arrow > and create an authentication policy. Define a name and choose the device IP address as the condition. Then choose the Identity Source Sequence created in Step 6.

    Authentication PolicyAuthentication Policy

    note-icon

    Note: Location or other attributes can be used as an Authentication condition.

    Step 11. Create an Authorization profile for each Admin User type, define a name, and choose an internal user and/or AD user group as the condition. Additional conditions such as APIC can be used. Choose the proper shell profile on each authorization policy and click  Save.

    TACACS Authorization ProfileTACACS Authorization profile

    Verify

    Step 1. Log in on APIC UI with User Admin credentials. Choose the TACACS option from the list.

    APIC LoginAPIC Log in

    Step 2. Verify the access on APIC UI and proper policies are applied on TACACS Live logs.

    APIC Welcome MessageAPIC Welcome message

    Repeat Steps 1 and 2 for Read Only Admin users.

    TACACS+ Live LogsTACACS+ Live Logs

    Troubleshoot

    Step 1. Navigate to > Operations > Troubleshoot > Debug Wizard. Choose TACACS  and click  Debug Nodes.

    Debug Profile ConfigurationDebug Profile Configuration

    Step 2. Choose the node that receives the traffic and click Save.

    Debug Nodes SelectionDebug Nodes Selection

    Step 3. Perform a new test and download the logs under  Operations > Troubleshoot > Download logs  as shown:

    AcsLogs,2023-04-20 22:17:16,866,DEBUG,0x7f93cabc7700,cntx=0004699242,sesn=PAN32/469596415/70,CPMSessionID=1681058810.62.188.2140492Authentication16810588,user=APIC_RWUser,Log_Message=[2023-04-20 22:17:16.862 +00:00 0000060545 5201 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=122, Device IP Address=188.21, DestinationIPAddress=13.89 , DestinationPort=49, UserName=APIC_RWUser, Protocol=Tacacs, NetworkDeviceName=APIC-LAB, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=APIC_RWUser, Port=REST, Remote-Address=202.208, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=PAN32/469596415/70, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, SelectedAccessService=TACACS Protocol, SelectedShellProfile=APIC ReadWrite, Profile, IsMachineAuthentication=false, RequestLatency=230, IdentityGroup=User Identity Groups:APIC_RW, Step=13013, Step=15049, Step=15008, Step=15048, Step=15041, Step=15048, Step=22072, Step=15013, Step=24430, Step=24325, Step=24313, Step=24318, Step=24322, Step=24352, Step=24412, Step=15013, Step=24210, Step=24212, Step=22037, Step=15036, Step=15048, Step=15048, Step=13015, SelectedAuthenticationIdentityStores=iselab

    In case debugs do not show authentication and authorization information, validate this:

    1. The Devices Administration service is enabled on the ISE node.
    2. The right ISE IP address has been added to the APIC configuration.
    3. In case a firewall is in the middle, verify port 49 (TACACS) is permitted.

    Revision History

    Revision Publish Date Comments
    1.0
    28-Apr-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Emmanuel Cano Gutierrez
      Cisco Security Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products