Default Authentication Realm

Information

The default security method for processing authentication requests. The realm allows the protected resources on the associated server to be partitioned into a set of protection spaces, each with its own authentication authorization database. The methods can be:
- Local - Uses the local username or password database for authentication.
- RADIUS - Uses the global pool of RADIUS servers for authentication.
- TACACS+ - Uses the global pool of TACACS+ servers for authentication.
- LDAP - Uses the global pool of LDAP servers for authentication.
- RSA - Uses the global pool of RSA servers for authentication.
- SAML - Uses the SAML server for authentication.

The default realm is Local, but can be changed.

Note: If LDAP, RADIUS, or TACACS+ is specified as the default security method and the associated provider group specified in this dialog is not available to provide authentication during a user login, fallback local authentication is not executed by the APIC server unless is specifically configured to do so.

Solution

Log into the Cisco APIC Web Console:
Navigate to 'Admin' -> 'AAA' -> 'Authentication'

In the 'Default Authentication' section ensure 'Realm' is not set to 'Local'

Item Details

Audit Name: Tenable Cisco ACI

Category: ACCESS CONTROL

References: 800-53|AC-6(3)

Plugin: Cisco_ACI

Control ID: 7b04e3fd8734e10bb259a3fe806337e5b697043979b63955bbb4ef6f77fdb111