There are many configuration guides on the Cisco website with details about configuring RADIUS and TACACS+ on a Cisco Firepower Chassis Manager. See this link for the configuration guide for 2.0(1).
In this document, you can read the following comment:
|Remote User Role Policy
||Controls what happens when a user attempts to log in and the remote authentication provider does not supply a user role with the authentication information:
- Assign Default Role—The user is allowed to log in with a read-only user role.
- No-Login—The user is not allowed to log in to the system, even if the username and password are correct.
But… it’s very hard to find what attributes are needed to assign a user the administrator role.
There are options to integrate L4 – L7 devices, like firewalls or load balancers (Cisco ASA, F5, Citrix Netscaler, etc), into Cisco ACI. These integrations can be done in a managed mode, with a device package, or unmanaged mode. Both modes are available if you are using Cisco ACI with VMware vCenter integration.
When you are using Cisco ACI with Microsoft Hyper-V, you cannot integrate any L4 – L7 device yet (Q1 2016). The options to integrate these devices are not available if you select an SCVMM domain.
More to come..
Cisco ACI is a great product, which I’ve implement at some customers already. I’ve seen the product grow in the last year from something “not production ready” to an stable product which can be used in production environments. But like all new products, there are still some limitations around which can be a struggle during implementations. The VMware integration into ACI is done and complete, the Hyper-V implementation is still pretty new and some features are missing. I’m sure that the Hyper-V implementation will be more complete in the next major ACI release, but at this point in time you need to know about the limitations which are still around.
When upgrading from prior IOS 8.4 to 8.4(4) and 8.4(5), the configuration will be converted for the new IOS without any problems. But when you’re creating a new Network Object NAT rule, you’ll get a nasty error:
ERROR: NAT Policy is not downloaded
There’s no solution for this error at this point (january 2013), Cisco TAC mentioned me that the development team is still working on this issue but it’s hard for them to reproduce this error in their lab.
But.. there is a workaround available!
Some time ago a customer wanted an back-up solution on one of their offices for internet and VPN connection towards the datacentre. On both location they use Cisco ASA 5505 firewalls.
Configuration needed on the Office Firewall