TACACS+ Configuration Examples

 

ISE TACACS+ Server

Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations.

Given below are steps involved in setting up an ISE TACACS+ server as a remote authentication and authorization system for Avi Vantage.

  • The ISE server is generally configured with external Identity Sources (in this case OpenLDAP).

 

ISE-Authentication-setOpenLDAP

 

 

ISE-OpenLDAP-Settings

 

ISE-OpenLDAP-ConnectionSettings

ISE-OpenLDAP-GroupSearch

 

  • ISE LDAP settings used to fetch LDAP groups in order to use them for Authorization conditions

ISE-OpenLDAP-Groups

  • ISE Authorization conditions added for Users in the AD groups

 

ISE-authrz-compount-conditions

 

 

ISE-authrz-compound-condition

 

  • ISE server should recognize all Avi Vantage Controller cluster nodes as valid Network Devices.

 

ISE-NetworkDeviceProfile-Avi-Vantage

 

ISE-NetworkDevice-Avi-Vantage

 

  • ISE requires shell profiles and TACACS+ profiles configured.

 

ISE-tacacs-profile-shell-profiles

 

ISE-tacacs-profile-shell-profile-RW

 

  • ISE device policy sets default condition updated to assign different shell profiles based on group membership.

 

ISE-device-admin-policy-set-default

 

  • The Avi Vantage TACACS+ auth profile should be configured with the same shared secret that was assigned to the device in ISE. The “service” attribute is generally required for authorization. In the case of an ACS server, service=shell is required for user authorization; while in the case of an ISE server, service=shell is known to cause authorization failure.

 

TACACS+settings_ISE

 

  • Avi Vantage TACACS+ authorization role and tenant mapping configured to assign different roles based on TACACS+ attribute value

 

TACACS+Tenant_Role_Mapping

 

Shrubbery TAC_PLUS

 

  • TAC_PLUS server is a much simpler alternative to ISE/ACS. This is mostly relevant in development or testing environments. Conceptually, users are assigned to groups and groups have request and response attributes.

 

TACACS+shrubbery-conf

 

TACACS+shrubbery-command

 

  • Avi Vantage TACACS+ auth profile is configured the same way as that for ISE or ACS.

Protocol Ports Used by Avi Vantage for Management Communication

Updated: 2017-12-18 09:37:50 +0000