Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3024
Views
10
Helpful
2
Replies

How can I allow read-only user to ssh into ACI Leafs and spine?

sarabsin
Level 1
Level 1

‎03-19-2019 07:12 AM

Hi Experts,

I have 2 questions:

 

  1. How can i allow user with read-all role and read-only privilege access Leafs and Spine OOB with SSH?Currently when the user does SSH , the user gets prompted to put password but it fails.Do you know if this should be working ?
  2. also read-all and read-only user can ssh to APIC and even configure or make changes in APIC. How  is this possible? Is there any other role i can assign so the user cannot make changes to APIC?    

 

 

 

 

 

 

3 people had this problem
Labels:
0 Helpful
2 Replies 2

Andre Leyton
Level 1
Level 1

‎05-01-2019 11:34 PM

for number 1. I found adding the role admin with readPriv allowed the read-only user to login via SSH

0 Helpful

Sri Harsha Dasari
Spotlight
Spotlight

‎04-12-2022 01:24 PM

While creating Cisco AV-pair on the authentication server, please use below.

cisco-av-pair=shell:domains=all/read-all/admin

 

Only admin role could SSH into leaf and spine, So we need to have admin under read-only

Here is how ACI reads the av-pairs

cisco-av-pair=shell:domains=*/#/$

* -- Define Domains

# -- Define Write privilege roles

$ -- Define read privilege roles

You can define multiple roles or domain separated by | 

shell:domains=all/aaa|admin/aaa|admin

OR

Cisco-avpair = "shell:domains = solar/admin/,common//read-all"

Thanks, Sri.
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License