ACI fabric typically rely on external authentication mechanisms like RADIUS, LDAP, RSA, TACACS+, etc for secure logins. However, there might be situations where the primary authentication method becomes unavailable due to issues with the external authentication server or configuration problems. The ACI fallback login mechanism provides a critical safety net in such scenarios. It allows authorized administrators to access the ACI fabric and potentially troubleshoot the root cause of the login issue.
Configuring the ACI fabric to allow fallback
Admin -> AAA -> Authentication -> AAA -> Policy -> Fallback Domain Availability
There are two configuration options for fallback login availability:
- Always Available: the fallback login is always available, regardless of the reachability of the AAA providers.
- Available only if no providers are reachable via ICMP: The fallback login becomes active only when all configured AAA providers in the Default Authentication Realm are unreachable via ICMP ping requests.
1. Logging to APIC using Fallback Domain
2. Logging to ACI Switches using Fallback Domain
ssh apic#fallback\\admin@<switch ip address>
(base) Linux-VM:~ belete$ ssh apic#fallback\\admin@10.10.10.200
Last login: Wed Apr 3 13:45:17 2024 from 10.24.131.196
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2022, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
DC1-LEAF-101#