Avi Load Balancer supports authentication and authorization of Avi Load Balancer users with Terminal Access Controller Access Control System (TACACS+). TACACS+ is an open standards protocol that handles authentication, authorization, and accounting.

Creating a TACACS Plus Profile

In Avi Load Balancer, TACACS+ settings are configured in an auth profile. To create a TACACS+ auth profile, complete the following steps.

  1. Navigate to the Templates > Security > Auth Profile.

  2. Click Create to view the CREATE AUTH PROFILE screen.

  3. Select the Type as TACACS_PLUS.

  4. Under the TACACS+ tab, click Add to enter TACACS+ server IP address.

    Note:

    You can add multiple servers. If the first server does not respond, Avi Load Balancer tries the next server. If there is no response from this server as well, Avi Load Balancer tries to connect to the next server. Each server is tried once. If all the servers fail or timeout, the request is failed.

  5. Enter the TACACS+ server Port. By default, the value is 49.

  6. Enter the TACACS+ server shared secret as Password.

  7. Select the TACACS+ Service type used in all authentication and authorization queries.



  8. Under Authorization Attributes, click Add and enter the set of attribute value pairs under Name and Value to identify the host. The TACACS+ server configures user-level authorization based on these attributes. For example, Cisco Access Control Servers (ACSs) typically expect authorization attribute values for “service” and “protocol” to be populated to identify and authorize an Avi Load Balancer user. Authorization attributes from a TACACS+ server can be used to map users to various roles and tenants.

  9. If the attribute is required, check Mandatory.



  10. Click Save.

Authentication and Authorization

Authentication and authorization of an Avi Load Balancer user with TACACS+ takes place as follows:

  1. AUTHEN START packet from Avi Load Balancer to TACACS+ server. Contains:

    • action=login

    • authen_type=ascii

    • service=

    • user=

    • remote_addr=

  2. AUTHEN REPLY packet from TACACS+ server to Avi Load Balancer. It contains status of type GETPASS indicating that password needs to be supplied for the user message field with text “Password.”

  3. AUTHEN CONTINUE packet from Avi Load Balancer to TACACS+ server. It contains user message field with actual password from user.

  4. AUTHEN REPLY packet from TACACS+ server to Avi Load Balancer. Contains:

    • SUCCESS status if password is valid and user is allowed

    • FAILED status

  5. AUTHOR START packet from Avi Load Balancer to TACACS+ server. Contains:

    • User name of the user

    • Remote address of the user

    • Authorization attribute name, value and whether or not they are mandatory

    • An authorization attribute string “abc=xyz” that indicates an attribute named “abc” is mandatory and has value “xyz”

    • An authorization attribute string “abc*xyz” that indicates an attribute named “abc” is optional and has value “xyz”

  6. AUTHOR REPLY packet from TACACS+ server to Avi Load Balancer. It contains one of the following:

    • PASS_ADD or PASS_REPL status, which authorizes the successfully authenticated user with attribute value pairs to be added or replaced.

    • FAIL status, indicating the user is not authorized.

Encryption

All TACACS+ packets are encrypted, whereas the 12-byte header is passed in the clear. Encryption is part of the TACACS+ standard and is compatible with all TACACS+ servers.

Error Handling

If an error is indicated in the Status field of any reply packet during this process, the user login is rejected and results in a failure.