Deploy the local TACACS+ server container in Microsoft Azure

In this topic, you will learn how to deploy the Portnox™ Cloud local TACACS+ server container in Microsoft Azure using Azure Container Instances.

To deploy the local TACACS+ server Docker container in Azure Container Instances, you must first configure the settings for the local TACACS+ server container and generate environment variables. To do it, go to the following topic: Run the local TACACS+ server in a container.

Read the following important information before you begin:

  • Azure Container Instances are not the only way to deploy the local TACACS+ server container in Azure but it is the easiest way. Other options include Azure Kubernetes, Azure Container Apps, and more. If you choose a different option, please follow relevant Microsoft Azure documentation to deploy your container.

  • In order for the local TACACS+ server container in Azure to be able to communicate with your NAS devices in your local network, you must create a virtual network in Azure and connect it to your local network. Azure offers many ways of achieving this. This topic is beyond the scope of this guide, but you can find useful information in the following Microsoft documentation topics: Create a site-to-site VPN connection in the Azure Portal and Connect an on-premises network to Azure.

  • You cannot place NAS devices behind a NAT because the local TACACS+ server uses the source IP address of the connection, and with a NAT in place, that address would be the same for several NAS devices.

  • If you have multi-factor authentication (MFA) enabled in Azure for your policy, you must allow Portnox Cloud services to bypass MFA by whitelisting the services’ IP addresses. To lean how to do it, see the following topic: Bypass multi-factor authentication in Entra ID.

  • We highly recommend that you create a free Docker Hub account before you begin and use the credentials of that account to pull the Docker image. This is because Docker Hub has limits on the number of anonymous pulls per IP address per hour, and without credentials, you may be unable to pull the image due to those limits being exceeded by others sharing your infrastructure’s external IPs.

Create a virtual network and subnets

In this section, you will create a virtual network with a subnet for local TACACS+ server containers.

You must deploy the local TACACS+ server container to a subnet that is delegated to Container Instances. This subnet cannot contain other resource types. If you already have a subnet that meets this condition, you can skip this step and choose an existing subnet instead. You can also add a subnet to an existing virtual network instead.

  1. Open your Azure Portal dashboard.
  2. In the Azure Services menu, click on the Create a resource icon.

  3. In the Marketplace pane, in the Search the Marketplace field, type virtual network and press the  ↩  key. Then, on the bottom of the Virtual network tile, click on the Create button and select the Virtual network option from the menu.

  4. In the Basics step of the Create virtual network wizard, select the Subscription, Resource group, and Region, and enter a Virtual network name that you want to use for this virtual network. Then, click on the Next button twice to skip to the IP addresses step.

    In this example, we used the network name Containers but you can use any name you like.

  5. In the IP addresses step of the Create virtual network wizard, select the IPv4 address space by entering values in the top fields, and click on the  🗑  icon in the Subnets section to delete the proposed subnet. Then, click on the Review + create button, and after the review is completed, click on the Create button.

    Note: When creating subnets together with the virtual network, you cannot choose the resource type for the subnet. That’s why you should delete the proposed subnet and create subnets later.

    In this example, we entered the address space 10.1.0.0/16 but you can use any address space you like. The default address space proposed by Azure is 10.0.0.0/16, and that’s why the subnet to be deleted on the above screenshot is from this address space.

  6. When deployment is complete, click on the Go to resource button in the notification, or go to the created virtual network from your Azure home screen.
  7. In the left-hand side menu of your virtual network pane, click on the Subnets option.

  8. In the top menu, click on the + Subnet button to create a new subnet.

  9. In the Add subnet pane, configure the IP address range as you prefer, enter a Name for the subnet, and in the SUBNET DELEGATION section, select the Microsoft.ContainerInstance/containerGroups option.

    In this example, we used the subnet name Containers but you can use any name you like.

Create a container instance

In this section, you will deploy the local TACACS+ server Docker container to the virtual network created in the previous step.

  1. In the Azure Services menu, click on the Create a resource icon.

  2. In the Marketplace pane, in the Search the Marketplace field, type container instances and press the  ↩  key. Then, on the bottom of the Container Instances tile, click on the Create button and select the Container Instances option from the menu.

  3. In the Container Instances pane, in the Plan field, select the Container Instances option and click on the Create button.

  4. In the Basics step of the Create container instance wizard, select the Subscription, Resource group, and Region, and enter a Container name that you want to use for this container.
    Note: Make sure that the selected Region is the same one as the one selected for the virtual network created earlier.

    In this example, we used the container name tacacs but you can use any name you like.

  5. In the Image source field, select the Other registry option, in the Image type field, select the Private option, in the Image field, enter: portnox/portnox-tacacs, in the Image registry login server field, enter index.docker.io, and in the Image registry user name and Image registry password fields, enter your Docker Hub credentials. Then, click on the Next : Networking > button below.

    Note: If you prefer not to use a Docker Hub account, in the Image type field, choose the Public option instead, and you will not have to enter any credentials. However, you may be unable to pull the image at this time due to Docker Hub hourly anonymous pull limits.
  6. In the Networking tab, in the Networking type field, select the Private option, in the Virtual network field, select the virtual network you created earlier, and in the Subnet field, select the subnet dedicated to container instances that you created earlier. Then, click on the Next : Advanced > button.

  7. Copy and paste the values of the three environment variables that you saved earlier (or copy them directly from Portnox Cloud) into three Key and Value pairs. In the Mark as secure column, for TACACS_GATEWAY_ORG_ID and TACACS_GATEWAY_PROFILE select No and for TACACS_GATEWAY_TOKEN select Yes. Then, click on the Review + create button, and after the review is completed, click on the Create button.

  8. After the deployment is complete, note down the IP address address of the server.

Result: Your local TACACS+ server is active.

You can check its status in Portnox Cloud, in the Settings > Services > LOCAL TACACS+ SERVICE > Local TACACS+ profile section.

Create a private hosted DNS zone

In this section, you will create a DNS zone for your virtual network, which lets you configure your NAS devices to access the local TACACS+ server using a fully-qualified domain name (FQDN) instead of its IP address.

Every time that you stop and restart your local TACACS+ server container in Azure, it may be assigned a different IP address on the subnet, which means you would have to reconfigure your NAS devices after every restart. Unfortunately, at this time, Azure does not offer any method to maintain a fixed IP address on its virtual private cloud.

To overcome this problem, you can configure a DNS zone in Azure, assign a private FQDN to the local TACACS+ server, and configure the NAS devices to access this server using this FQDN. This way, if you need to restart the container and get a different IP address, you can just change the IP address in the zone definition instead of having to reconfigure every NAS device.

  1. In the Azure Services menu, click on the Create a resource icon.

  2. In the Marketplace pane, in the Search the Marketplace field, type dns zone and press the  ↩  key. Then, on the bottom of the Private DNS zone tile, click on the Create button and select the Private DNS zone option from the menu.

  3. In the Basics step of the Create Private DNS zone wizard, select the Subscription and Resource group, and enter a Name that you want to use for this private DNS zone. Then, click on the Review create button, and after the review is completed, click on the Create button.

    In this example, we used the DNS zone name vorlon.private but you can use any name you like.

  4. After deployment is complete, click on the Go to resource button.

  5. In the top menu, click on the + Record set button to create a new record set.

  6. In the Add record set pane, in the Name field, enter the name that you want to use for your local TACACS+ server host, in the Type field, select the A – Address record option, in the IP address field, enter the IP address of your deployed local TACACS+ server container that you noted down in the previous task, and then click on the OK button below.

    In this example, we used the host name tacacs but you can use any name you like.

    Note: If you didn’t note down the IP address earlier, open a new browser tab and check the address by going to your container instance pane in Azure and noting down the value next to the IP address (Private) field.
  7. In the left-hand side menu of your private DNS zone pane, click on the Virtual network links option.

  8. In the top menu, click on the + Add button to add a new virtual network link.

  9. In the Add virtual network link pane, in the Link name field, enter a name for this link, in the Subscription field, select the subscription, and in the Virtual network field, select your virtual network from the list. Then, click on the OK button below.

    In this example, we used the name tacacs for the link but you can use any name you like.

Result: You can configure your NAS devices in the virtual network to access the local TACACS+ server using its FQDN (in our example, tacacs.vorlon.private) in the virtual network instead of its IP address (in our example, 10.1.0.4). You also need to configure the resolver in the NAS device to use azureprivatedns.net as one of the DNS servers.

If you need to restart the container and the IP address of the local TACACS+ server changes, change the IP address in the record that you created for your hosted zone.