TACACS+ Configuration Examples

 

ISE TACACS+ Server

Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations.

Given below are steps involved in setting up an ISE TACACS+ server as a remote authentication and authorization system for Avi Vantage.

  • The ISE server is generally configured with external Identity Sources (in this case OpenLDAP).

 

ISE-Authentication-setOpenLDAP

 

 

ISE-OpenLDAP-Settings

 

ISE-OpenLDAP-ConnectionSettings

ISE-OpenLDAP-GroupSearch

 

  • ISE LDAP settings used to fetch LDAP groups in order to use them for Authorization conditions

ISE-OpenLDAP-Groups

  • ISE Authorization conditions added for Users in the AD groups

 

ISE-authrz-compount-conditions

 

 

ISE-authrz-compound-condition

 

  • ISE server should recognize all Avi Vantage Controller cluster nodes as valid Network Devices.

 

ISE-NetworkDeviceProfile-Avi-Vantage

 

ISE-NetworkDevice-Avi-Vantage

 

  • ISE requires shell profiles and TACACS+ profiles configured.

 

ISE-tacacs-profile-shell-profiles

 

ISE-tacacs-profile-shell-profile-RW

 

  • ISE device policy sets default condition updated to assign different shell profiles based on group membership.

 

ISE-device-admin-policy-set-default

 

    • The Avi Vantage TACACS+ auth profile should be configured with the same shared secret that was assigned to the device in ISE. The “service” attribute is generally required to identify and authorize a Vantage user. Authorization attributes from a TACACS+ server can be used to map Avi Vantage users to various roles and tenants.
      In the case of an ACS server, service=avishell is required for user authorization; while in the case of an ISE server, service=avishell is known to cause authorization failure.

    To know more, refer to TACACS+ Authentication

 

TACACS+settings_ISE

 

  • Avi Vantage TACACS+ authorization role and tenant mapping configured to assign different roles based on TACACS+ attribute value

To know more, refer to User Account Roles

TACACS+Tenant_Role_Mapping

 

Shrubbery TAC_PLUS

 

  • TAC_PLUS server is a much simpler alternative to ISE/ACS. This is mostly relevant in development or testing environments. Conceptually, users are assigned to groups and groups have request and response attributes.

 

TACACS+shrubbery-conf

 

TACACS+shrubbery-command

 

  • Avi Vantage TACACS+ auth profile is configured the same way as that for ISE or ACS.

Protocol Ports Used by Avi Vantage for Management Communication