Overview of Account Management

Overview

A valid account is required for access to Avi Vantage through the GUI, REST API, or CLI. Each user must be assigned a role which grants permissions and access to read or write to various objects within Avi Vantage. Accounts may optionally be restricted to specific tenants, and granted different roles within each tenant.

User accounts are maintained either locally in Avi Vantage or remotely via an external AAA server where authentication and authorization are performed. Avi Vantage will first attempt to validate the account via local auth database, then remote auth.

For SSH access, the Controller will also attempt to authenticate the user via the underlying Linux after failing to find the user in the local or remote auth databases.  Users created via local or remote are not created in Linux and may not have Linux access, with the exception of the admin account.

Note: You can disable local authentication in the Controller if remote authentication (LDAP, TACACS, SAML and so on) is enabled. You can do so by setting the allow_local_user_login flag to False in SystemConfiguration > AdminAuthConfiguration option.

User Authentication

Local User Authentication

• Manage Local User Accounts
• Strong Password Enforcement
• Recover Lost Password
• HTTP Basic Auth for API Queries

Remote User Authentication

• LDAP Authentication
• LDAP Authentication Profile Test
• LDAP Configuration Examples
• TACACS+ Authentication
• TACACS+ Configuration Examples
• Keystone Authentication
• CLI Access and Remote Auth
• SAML Authentication for Single Sign-On

Roles

• Roles

Tenants

• Tenants
• Switch between Tenants
• Authorization - Tenant and Role Mapping Examples
• All Tenants View

Other

• Super User Accounts
• Default System Accounts
• User Account Self-Service
• User Account Security

Suggested Reading

Configuring SAML Authentication with Workspace One for Avi Controller