TACACS+ Integration ☍
Terminal Access Controller Access-Control System Plus (TACACS+) is a supported protocol for external authentication and authorization in A10 Control. TACACS+ server integration allows A10 Control delegate both authentication and authorization externally. The TACACS+ server validates user credentials, applies role-based authorization, and enforces access policies.
Only Organization Admins have permission to integrate the TACACS+ server with A10 Control.
Prerequisites
Before integrating TACACS+ server with A10 Control, ensure the following:
- TACACS+ Server Setup
- A running TACACS+ server with configuration managed in the
etc/tac_plus.conffile. - TACACS+ server listening on the default port 49 (or a custom port, if configured).
- A running TACACS+ server with configuration managed in the
- Server Configuration
- Define the shared secret password between A10 Control and the TACACS+ server in
tac_plus.conf. - Restart the TACACS+ service after making configuration changes.
- Define the shared secret password between A10 Control and the TACACS+ server in
- User Definition on TACACS+ Server
- Create user entries in
tac_plus.confwith appropriate login credentials. Assign A10 Control–specific attributes to each user with the parameter:
A10-Control-Access-Groups="<provider account>:<access group>|..."- Provider account and access group must be defined.
- Use comma (,) to separate a provider account and its access group.
- Use pipe (|) to separate multiple provider account–access group pairs.
- Create user entries in
- Access Control Mapping
- Ensure that each user is assigned one or more provider accounts with the correct access group permissions.
- Verify privilege level (
priv-lvl) is set to the appropriate value (For example, 15 for admin-level access).
- A10 Control Attribute
- Add the
A10-Control-Access-Groupsattribute in the user configuration block to define access within A10 Control.
- Add the
Configure TACACS+ Server for A10 Control Integration
- Set up and configure the TACACS+ server. For more information, see TACACS+ official documentation.
-
Update the TACACS+ configuration file (
/etc/tac_plus.conf) with the following details:- Listening port and shared secret (typically defined at the beginning of the file).
- User accounts and their associated access group attributes.
TACACS+ Configuration Example
tac_plus.confsnippet:user = user1 { default service = permit name = "user1" login = cleartext password pap = cleartext password service = exec { A10-Control-Access-Groups="root:hc_provider_adminroot|providerB:hc_provider_adminproviderB|P1-Rds:hc_provider_admin-P1-Rds|p5:hc_provider_admin-p5" priv-lvl=15 } }Privilege Levels for TACACS+
The following table lists the TACACS+ privilege levels (
priv-lvl) that match the GUI roles.Table 37 : Privilege Levels for TACACS+ GUI Access Role TACACS+ Privilege Levels ReadWriteAdmin
15
SystemAdmin
14
NetworkAdmin
13
NetworkOperator
12
SlbServiceAdmin
11
SlbServiceOperator
10
ReadOnlyAdmin
0
PartitionReadWrite
9
PartitionNetworkOperator
8
PartitionSlbServiceAdmin
7
PartitionSlbServiceOperator
6
PartitionReadOnly
5
- Restart the TACACS+ service after saving the configuration changes.
Verify and Test TACACS+ Integration
- Ask a TACACS+ server user to log in to the A10 Control portal with correct credentials.
- Verify the user is redirected to the TACACS+ server for authentication.
- If MFA is enabled, confirm that a second-factor challenge is presented.
- After successful login, verify that the user is assigned the correct role by checking either of the following:
- A10 Control home page > Profile icon > User Profile.
- A10 Control home page > Organization > Users > Users tab, where the External User column is marked as Yes.