When you have a topology with more than one Director node, you can configure one of the Director nodes to be the central authentication Director node. 

This node processes all the authentication requests received by any of the Director nodes. Central authentication is useful when customer branches are geographically dispersed. 

You can use the following authentication methods on the central authentication Director node to authenticate users:

• Basic authentication
• Basic external server authentication, such as Active Directory, LDAP, RADIUS, and TACACS+
• OAuth
• OAuth with an external server
• Single sign-on (SSO) from any providers, including Okta, Ping Identity, and Azure AD.

To refer more https://docs.versa-networks.com/Management_and_Orchestration/Versa_Director/Configuration/Configure_AAA

If you configure an external server to be the default authentication connector, local authentication is disabled, and users can be authenticated for login only by using that external AAA authentication server.

In this example: 22.1.2 VD is acting as the Central Auth Server, And 21.2.3 VD acting as the CA client

Use case 1: Central Authentication with local users

Note: If you set the default connector as Central Authentication only, Provider users are able to log into the CA Client VD.

forTo use with the local users, On CA server VD, No need to any Authentication Connector Configuration.

Local users in VD1 (CA server)

On CA client:

And You will be able to log in with the local user of VD1

Note: Shell-in-a-box won’t work in Client VD when Central Authentication is configured. PR:103408 was raised for this feature, And it will be addressed in 22.2.x

Use Case 2: Tacacs configured on VD1 and  VD2 is only with Central Authentication

On VD1:

For Provider Users:

On client VD:

Able to login the client VD GUI with the provider user

Here (shaffit) is the  tacacs provider user.

Note: Shell-in-a-box won’t work in Client VD when Central Authentication is configured. PR:103408 was raised for this feature, And it will be addressed in 22.2.x

And SSH will not work for Tacacs Provider user on Client VD:

For Tenant user

 you must first create organization (tenant) users on both the central authentication server and the organization server

To Enable Central Authentication for a Tenant on Both VDs.

Results:

You Can able in to login Both VDs with the same credentials.

On VD1:

On VD2:

Use Case 3: Tacacs configured on Both CA server (VD1) as well as on CA client (VD2) as well

Config on VD1:

Config on VD2:

Results:

On this setup, you will able to SSH the client VD for provider users. And Shell-in-a-box also will work as it is a Direct Tacacs user.

For Tenant User

Note: The Authentication for the Tenant user will take place via Central Authentication Server which VD1 since we have configured the Authentication server as Central Authentication in the Org config

In this use case, the extra benefit compared with previous use-case is you can SSH for the client VD with the Tacacs user as the default connector is configured as Tacacs

For more support

-----------------------

Please reach out to Versa TAC with the config screenshots and below logs from the shell.

/var/log/vnms/ncs/vnms-external-auth.log