The gRPC users can be authenticated using the local user database, RADIUS, or TACACS+.
When using the local user database, the access grpc statement must be included for the user.
For RADIUS, the access grpc statement must be configured in user-template radius_default (and radius use-default-template must be enabled), or the RADIUS server must send the Timetra-Access VSA with a value that includes grpc access.
For TACACS+, the access grpc statement must be configured in user-template tacplus_default (and tacplus use-default-template must be enabled).
User authentication is based on following principles:
Each RPC sent by the gRPC client carries a username and password.
For the first RPC in the gRPC session, the gRPC server tries to authenticate the user using the specified authentication order, such as using the local user database, RADIUS, or TACACS+.
For example, if TACACS+ is first in the authentication order, the gRPC server sends a request to the TACACS+ server to authenticate the gRPC user.
For the subsequent RPCs on that same authenticated gRPC session, the username and password are re-authenticated only if changed.
When no username and password are provided with the RPC, the gRPC server returns an error.
If the RPC user is changed, any active subscriber RPCs on that same gRPC session are terminated by the gRPC server.
If the RPC password is changed, the active gRPC session continues to exist until a different username and password is sent in a subsequent RPC, or the gRPC session is terminated.
Each message is carried over a gRPC session that was previously encrypted; the session is not re-encrypted.
SRĀ OS device authentication is based on the following principles:
The gRPC clients do not share gRPC sessions. Each gRPC client starts a separate gRPC session.
When a gRPC session is established, the gRPC server certificates are verified by the gRPC client to ensure that every gRPC server is authenticated by the gRPC client.
If gRPC is shut down on the gRPC server and a gRPC client is trying to establish a gRPC session, the gRPC client gets an error for every RPC sent.
If gRPC is shut down on the gRPC server and a gRPC session is established, all active RPCs are gracefully terminated and an error is returned for every active RPC.