This blog post focuses on ACI Role Based Access Control (RBAC) configuration. Demonstrates step by step configuration of ACI and ISE (TACACS+ provider) to achieve the use case which is to provide multi-tenant access control. Users can only access the tenants they are assigned to. Members of infra-admin will have full access to all tenant and infrastructure components. Least access privilege principle is used to restrict access to resources.
Assumptions –
- ACI 5.2 is used to demonstrate the steps.
- ISE 3.1 is used as TACACS+ provider.
- customer1-1 and customer1-2 tenants are created for customer 1.
- customer2-1 tenant is created for customer 2.
- security domain is per customer.
- customer-1 security domain includes customer1-1 and customer1-2 tenants and customer-2 security domain includes customer2-1 tenant.
- infra-admin user is a member of infra-admin-group and have all access.
- customer1-admin user is a member of customer1-admin-group and only have admin access to customer 1 tenants.
- customer1-ro user is a member of customer1-ro-group and only have read access to customer 1 tenants.
- customer2-admin user is a member of customer2-admin-group and only have admin access to customer 2 tenant.
- customer2-ro user is a member of customer2-ro-group and only have read access to customer 2 tenant.
Steps to implement the RBAC use case
- ACI – Create security domain
- ACI – Associate tenants with respective security domains
- ACI – Configure TACACS+ provider
- ACI – Create login domain
- ACI – Roles
- ISE – Enable device administration deployment
- ISE – Create device groups and network devices
- ISE – Create users and group
- ISE – Create TACACS+ profile and policies
- Verify
1. Create security domain for customer 1 and customer 2
A security domain is a tag associated with a certain subtree in the ACI MIT object hierarchy. Create two security domains, customer-1 and customer-2, for customer 1 and customer 2 tenants use.
Admin > AAA > Security > Security Domains > Create Security Domain
Restricted Domain option can be used if there is a need to restrict users to a security domain. Users in a restricted security domain cannot view or modify objects created in other domains
2. Associate the tenants with the security domains
Tenants > Policy > Security Domains
Associate customer1-1 & customer1-2 tenants with security domain customer-1 and customer2-1 tenant with security domain customer-2
Admin > AAA > Security > Security Domains > {double click the Security Domain Name}
3. Create TACACS+ provider
Terminal Access Controller Access Control System Plus (TACACS+) is one of the remote AAA protocols supported by Cisco ACI for Role Based Access Control (RBAC). TACACS+ uses the Cisco AV pair for required RBAC roles and privileges for users.
Admin > AAA > Authentication > TACACS > Create TACACS+ Provider
4. Create login domain
A login domain defines the authentication domain for a user. Login domains can be set to the Local, LDAP, RADIUS, TACACS+, RSA, DUO Proxy LDAP, DUO Proxy Radius, SAML, or OAthu 2 authentication mechanisms.
Admin > AAA > Authentication > AAA > Policy > Logon Domains > Create Login Domain
5. ACI roles
Admin > AAA > Security > Roles
A role contains a collection of read and/or write privileges to associated objects.
admin and read-all ACI roles are used for demonstrating the Role Based Access Control (RBAC) use case. Custom roles can be created if the roles on the list doesn’t meet the requirements.
6. Enable device administration deployment
If it’s new ISE deployment, device administration deployment need to be enabled
Work Centers > Device Administration > Overview > Deployment > Activate ISE Nodes for Device Administration. Select the TACACS port if the default is not used and save.
7. Create device groups and network devices
A network devices, APICs, Spines and Leafs, are an authentication, authorization, and accounting (AAA) clients that send AAA service requests to Cisco ISE. Defining network devices in Cisco ISE enables interactions between Cisco ISE and network devices.
Administration > Network Resources > Network Device Groups > Add for device groups and Administration > Network Resources > Network Devices > Add for network devices.
Add ACI devices group under ‘All Devices Types’ root group and add all APIC, Spines and Leafs to the ACI devices group.
8. Create internal users and groups in ISE
User identity groups are defined based on group name, and describe a specific group of users that belong to the same administrative group.
Administration > Identity Management > Groups > User Identity Groups > Add
User identity is like a container that holds information elements about each user, which form network access credentials for this user. Each user’s identity is defined by data that can include username, email address, password, first name, last name, account description, and user group.
Administration > Identity Management > Identities > User Identity Groups > Users > Add
9 – Create TACACS+ profile and policies
9.1 TACACS profile
TACACS+ profiles control the initial login session of the device administrator. A session refers to each individual authentication, authorization, or accounting request. A session authorization request to a network device elicits a Cisco ISE response. The response includes a token that is interpreted by the network device, which limits the commands that may be executed during a session. The authorization policy for a device administration access service can contain a single shell profile and multiple command sets.
The Cisco APIC requires that an administrator configure a Cisco AV Pair on an external authentication server and only looks for one AV pair string. The Cisco AV pair specifies the APIC required RBAC roles and privileges for the user. The format for Cisco AV pair is:
shell:domains= ACI_Security_Domain_1/ACI_Write_Role_1|ACI_Write_Role_2|ACI_Write_Role_3/ACI_Read_Role_1|ACI_Read_Role_2,
ACI_Security_Domain_2/ACI_Write_Role_1|ACI_Write_Role_2|ACI_Write_Role_3/ACI_Read_Role_1|ACI_Read_Role_2,
ACI_Security_Domain_3/ACI_Write_Role_1|ACI_Write_Role_2|ACI_Write_Role_3/ACI_Read_Role_1|ACI_Read_Role_2/‘s separate the security domain, write, read sections of the string. |’s separate multiple write or read roles within the same security domain.
example – shell:domains=customer-1/admin/ for customer-1 security domain admin access and shell:domains=customer-1//read-all for customer-1 security domain read only access.
Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles
9.2 Create device admin policy sets
The Device Admin Policy Sets window contains the list of policy sets that a Cisco ISE administrator manages to control the authentication and authorization of TACACS+ Device admin users.
The authentication rule table contains a set of rules to select actions required to authenticate a network device.
The authorization rule table contains a set of rules to select the specific authorization results required to implement the authorization model. Each authorization rule consists of one or more conditions that must be matched for the rule to be engaged, and a set of command sets, and/or a shell profile, which are selected to control the authorization process.
Work Centers > Device Administration > Device Admin Policy Sets
Now, the system is ready for test since all configuration steps needed to successfully deploy RBAC on ACI using ISE as a TACACS+ provider are completed.
10. Verify
10.1. ‘infra-admin’ user access verification.
10.2. ‘customer1-admin’ user access verification
10.3. ‘customer1-ro’ user access verification
