This section explains the examples of TACACS+ Configuration.
ISE TACACS+ Server
Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations.
To set up an ISE TACACS+ server as a remote authentication and authorization system for Avi Load Balancer, follow the steps given below:
![](images/GUID-A85BE276-66F5-4076-B79A-BEBD5ED63A66-low.png)
![](images/GUID-7716C30B-64EA-4693-A8A3-30B1CA409866-low.png)
![](images/GUID-3BE8B8B9-BA56-4744-A163-B85B1EFF2CF5-low.png)
![](images/GUID-3BE8B8B9-BA56-4744-A163-B85B1EFF2CF5-low.png)
-
The ISE LDAP settings used to fetch LDAP groups and use them for Authorization conditions are as shown below:
-
ISE Authorization conditions added for Users in the AD groups.
-
ISE server recognizes all Avi Load Balancer Controller cluster nodes as valid Network Devices.
-
Configuring ISE requires shell profiles and TACACS+ profiles.
-
ISE device policy sets default condition updated to assign different shell profiles based on group membership.
The Avi Load Balancer TACACS+ auth profile must be configured with the same shared secret that was assigned to the device in ISE. The “service” attribute is generally required to identify and authorize a Avi Load Balancer user. Authorization attributes from a TACACS+ server can be used to map Avi Load Balancer users to various roles and tenants.
In the case of an ACS server, service=avishell is required for user authorization; while in the case of an ISE server, service=avishell is known to cause authorization failure.
![](images/GUID-8284B6F6-B6DE-4D78-AD72-599BA4DF07FE-low.png)
Avi Load Balancer TACACS+ authorization role and tenant mapping configured to assign different roles based on TACACS+ attribute value.
Shrubbery TAC_PLUS
-
TAC_PLUS server is a much simpler alternative to ISE/ACS. This is relevant in development or testing environments. Conceptually, users are assigned to groups and groups have request and response attributes.
The Avi Load Balancer TACACS+ auth profile can be configured in the same way as an ISE or ACS.