Make sure that you configure aaaTacacsPlusProviderGroup with the same name as the name of the TACACS login domain.
HTTP POST to https://{{apichost}}/api/node/mo/.xml
<aaaTacacsPlusProvider name="server.tacacs.local"
authProtocol="pap"
monitorServer="enabled" monitoringUser="user1" monitoringPassword="mypwd"
port="49" retries="1" key="mykey" timeout="15" />
To configure a login domain for TACACS using the REST API:
HTTP POST to https://{{apichost}}/api/node/mo/.xml
<aaaUserEp descr="" dn="uni/userext" name="" pwdStrengthCheck="yes" rn="" status="modified">
<aaaLoginDomain descr="" name="Tacacs" nameAlias="" rn="logindomain-Tacacs" status="created,modified">
<aaaDomainAuth descr="" name="" nameAlias="" providerGroup="Tacacs"
realm="tacacs" rn="domainauth" status="created,modified"/>
</aaaLoginDomain>
<aaaTacacsPlusEp descr="" name="" nameAlias="" retries="1" rn="tacacsext" status="created,modified" timeout="5">
<aaaTacacsPlusProviderGroup descr="" name="Tacacs" nameAlias=""
rn="tacacsplusprovidergroup-Tacacs" status="created,modified">
<aaaProviderRef descr="testing" name="tacacs.server.com" nameAlias="" order="1"
rn="providerref-tacacs.server.com" status="created,modified" />
<aaaProviderRef descr="testing" name="tacacs2.server.com" nameAlias="" order="2"
rn="providerref-tacacs2.server.com" status="created,modified" />
</aaaTacacsPlusProviderGroup>
</aaaTacacsPlusEp>
</aaaUserEp>
To configure keyring certificate for APIC nodes using the REST API:
HTTP POST https://{{apichost}}/api/node/mo/uni/userext/pkiext/keyring-{{tacacs-tls-keyring}}.xml
<pkiKeyRing dn="uni/userext/pkiext/keyring-{{tacacs-tls-keyring}}"
tp="tacacs-tls-tp" eccCurve="none" keyType="RSA"
descr="tac client ca" status="created,modified"
key="-----BEGIN PRIVATE KEY-----
..................................
..................................
-----END PRIVATE KEY-----"
cert="-----BEGIN CERTIFICATE-----
..................................
..................................
-----END CERTIFICATE-----"
/pkiKeyRing>
To configure trust point to trust TACACS+ provider using the REST API:
HTTP POST https://{{apichost}}/api/node/mo/uni/userext/pkiext/tp-{{tacacs-tls-tp}}.xml
<polUni>
<aaaUserEp>
<pkiEp>
<pkiTP dn="uni/userext/pkiext/tp-{{tacacs-tls-tp}}" name="tacacs-tls-tp"
certUsage="WebSvcOrAuth" status="created,modified"
certChain="-----BEGIN CERTIFICATE-----
....................................
....................................
-----END CERTIFICATE-----"/>
</pkiEp>
</aaaUserEp>
</polUni>
To configure TACACS+ provider over TLS using the REST API:
https://{{apic-ip}}/api/node/mo/uni.xml
<?xml version="1.0" encoding="UTF-8"?>
<imdata totalCount="1">
<aaaTacacsPlusProvider enableTLS="true" dn="uni/userext/tacacsext/tacacsplusprovider-{{tacacs-tls-providername}}"
SSLValidationLevel="permissive" port="6049" status="created,modified" descr="TLS ISE provider"
keyring="{{tacacs-tls-keyring}}" name="{{tacacs-tls-providername}}" tp="{{tacacs-tls-tp}}"
key="" userdom="all">
<aaaRsSecProvToEpg tDn="uni/tn-mgmt/mgmtp-default/oob-default"/>
</aaaTacacsPlusProvider>
</imdata>