Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course...

11
1 Infoblox NIOS 7.3.x with Cisco ACS 5.x for TACACS+. Comments: Adam Obszynski <[email protected]> For Cisco ACS 5.x (VM or HW Appliance based) you need to use IE or Safari. Firefox and Chrome tend to not render all policy editor fields on web GUI. Settings on ACS environment can vary between different environments. But ACS admin who uses the system on daily basis will know how to use mentioned here directions and logical dependencies. AUTHENTICATION To simply authenticate users, You need to define GRID Master IP as TACACS+ enabled device and define shared password that will match on both sides – NIOS GM and ACS. In ACS GUI go to Network Resources > Network Devices and AAA Clients and click Create Enter Name and Single IP Address fields. Be sure that TACACS+ is checked and Shared Secret is same as on GM. Don’t forget about GMC.

Transcript of Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course...

Page 1: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

1

InfobloxNIOS7.3.xwithCiscoACS5.xforTACACS+.Comments:AdamObszynski<[email protected]>ForCiscoACS5.x(VMorHWAppliancebased)youneedtouseIEorSafari.FirefoxandChrometendtonotrenderallpolicyeditorfieldsonwebGUI.SettingsonACSenvironmentcanvarybetweendifferentenvironments.ButACSadminwhousesthesystemondailybasiswillknowhowtousementionedheredirectionsandlogicaldependencies.

AUTHENTICATIONTosimplyauthenticateusers,YouneedtodefineGRIDMasterIPasTACACS+enableddeviceanddefinesharedpasswordthatwillmatchonbothsides–NIOSGMandACS.InACSGUIgotoNetworkResources>NetworkDevicesandAAAClientsandclickCreateEnterNameandSingleIPAddressfields.BesurethatTACACS+ischeckedandSharedSecretissameasonGM.Don’tforgetaboutGMC.

Page 2: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

2

GotoGridMasterAdministration->AuthenticationServerGroups->TACACS+Services,clickADD(+).

FillIPAddressandSharedSecretfields.Remembertouse“Add”buttoninthemiddle/rightofthescreen.Thenyoushouldgetwindowlikethis:

Save&Closethen.

Page 3: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

3

Thenyouneedtofollowdocumentedpath(AdminGuide)anddefineTACACS+usageforusersauthentication.TodoitGotoAdministration->Administrators->AuthenticationPolicy,selectdefinedalreadyTACACS+servicepoint.RememberaboutAddbutton.

Finally,youneedTACACS+tobethefirstchoice.Selectanduserarrowontheleftside:

REDLIGHT!IfyouhavedefaultACSsettings(defaultinstallation)orifyouuseddefaultNIOSsettingsforTACACS+serverdefinition(AuthenticationType==CHAP)YouneedtoenableCHAPonACSsideORdoachangeonNIOSside.ACSsupportsbydefaultASCIIandPAPonly.IwouldrecommendtouseCHAPasaminimum...SoinACSyouneedtoenableCHAP:GotoAccessPolicies>AccessServices>DefaultNetworkAccess>AllowedProtocolsandputcheckboxnexttoAllowCHAP:

Page 4: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

4

Submit.IfthisisdefaultACSinstallyouneedtoadduserfirstJ.InACSgotoUsersandIdentityStores>InternalIdentityStores>UsersclickCreateanddefineuser/password:

FortestproposesopendifferentwebbrowserorprivatewindowsessiontoyourGMandloginbyusingnewlycreateduser.OnscreenabovescreenmentionalamakotauserbutIuseduser4acsinsystemandalamakotaisforscreencaptureonly:-).Trytologinbyusingnewlycreateduser.PleasealsoobserveNIOS/GMsyslog.

ErrorlikethistypicallymeansthatthereisnoconnectivitytoyourACSfromGMoryoudon’thaveCHAPenabledinACSJ

Page 5: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

5

CorrectauthenticationcanbecheckedinAuditLog.

FirstoneisrelatedtobadlyconfiguredACS.LastlineiscorrectoneafterCHAPwasenabled.(verybasiccasewithdefaultACSinstallmentionedearlier).YELLOWLIGHT!OfcourseInfobloxGRIDuserspermissionsandgroupmappingneedstobedefined.TheAuthenticationonlycasewasdonejustfortestswithverylazydefinitionwhenlastresortauthentication(incaseofnothingmatchedfirst)givesadmin-groupwhichisBADthingforLABuseONLY.ItwassetinthebottomofAuthenticationPolicypageinAdministration/AdministratorsmenuofGM.

PLEASEDONOTUSEthisinPRODUCTION.UseAuthorizationwhichcomesnext!:-)andminimumornonerightsifnotsinglegroupismatched.

AUTHORIZATIONRemotegroupcalledgroup-acsiscreatedonNIOStoauthorizeuserintogroupwithlimitedrights.

Page 6: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

6

NowtimeforACSside.GotoPolicyElements>AuthorizationandPermissions>DeviceAdministration>ShellProfiles,thenCreateInGeneral/Nameenterprofilenameie.“infoblox”.

TheninCustomerAttributestabdefineattributethatwilldefinegroupmapping.InmyexamplethereisstaticdefinitionthatmapsgroupnamecreatedonNIOS/GM(group-acs).WhenACSisusingexternalMSActiveDirectoryyoucanuseDynamicsettingsforAttributeValuetouseGroupfromADstructure.ThemostimportantcaseisAttributenameinneedstobealllowercase:infoblox-admin-groupSamplescreenwithstaticgroupdefinition:

Page 7: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

7

Pleaseremembertoaddvaluebyclicking“Add/\”button,thenSave.Finalview:

Fromthatpointsettingmaybedifferentforeachcustomer.DataprovidedbelowisfromsimplifiedLABenvironment.FornextfewstepswithACSFirefoxbrowserwillnoworkcorrectly!!!GotoAccessPolicies>AccessServices>ServiceSelectionRulesSelectSinglecheckboxandselectDefaultDeviceAdminfromdropdownmenu.

Page 8: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

8

ChangingtoSingleresultselectioncanbreakyourACSpolicesifthisisproductionsystem.PleaseaskACSadminforhelpwithpolices.AsresultwewanttosendspecificgrouptoNIOSauthorization.NothingmoreJ.ThiscanbeverysimplyscenariofromLABlikeonourscreensoritcanbeadvancedmultilevelgroupmatchingetc.Yourmileagemayvary.

Save.GotoAccessPolicies>AccessServices>DefaultDeviceAdmin>AuthorizationClick“CUSTOMIZE”(bottomright)buttonandcheck/addDeviceIPAddressandShellProfileareavailableforselection.ClosewindowsbyusingOKbutton.

Page 9: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

9

ThenclickCreate/Save.WARNING:InunsupportedbrowserCreatebuttonwillbegreyedout!FormeWindows-IEandMAC-Safariworkedfine.Firefox&Chromedidn’t.UnderGeneral,namethenewruleie.InfobloxGMandensurethatitisenabled.UnderConditions,selectthecheckboxnexttoDeviceIPAddress,andtypetheIPaddressoftheInfobloxGMappliance(inmycase192.168.0.73)UnderResults,clicktheSelectbutton,locatednexttotheShellProfilefield,andselectoneyoucreatedearlier(inmycaseinfoblox),andclickOK.ClickOKtoclosethewindow.

ClickSaveChanges,locatedatthebottomofthepage.

InmeantimecheckthatyouhavecorrectInfobloxGMgroupmappingswithusingsamegroupnameinNIOSasitisdefinedinACS(orfinallyADetc.).

Page 10: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

10

OnACSyoucancheckifACSauth.worksinMonitoringandReportsmenu.ThenonDashboardofViewerwindowlookfor“Authentications-TACACS–Today”Report.TogetdetailsaboutwhatAuthorizationdatawassenttoInfobloxGMyouneedtoexpandtreeviewReports->Catalog->AAAProtocolandselectTACACS_Authorizationreport.Intherightupperpartofusersessionyouwillseeresultwithmapping:

FinallytimetotestitonNIOSGM.

Page 11: Infoblox NIOS 7.3.x and Cisco ACS 5.x configuration guidance€¦ ·  · 2016-04-20Of course Infoblox GRID users permissions and group mapping needs to be ... Microsoft Word - Infoblox

11

WellDONE!Errors.ThiserrorinAuditLogmeansthereisnocorrectgroupnameorattributenamepassedfromACStoNIOS:

Whattodo?CheckNIOSGroupname.CheckInfobloxAVattributenameonACS–needstobeinfoblox-admin-groupalllowercase.CheckonACSMonitoring(AAAProtocols/AAAAuthorization)->Details.WhatattributenameandattributevalewassenttoNIOS.DuringpreparationofthisdocumentIfindmyself3errorsYoushouldbeawareof:#1infoblox-admin-groupAVnameonACSwaschangedbyspellcheckertoInfoblox-admin-group–firstletterCAPITAL…#2Groupnamewasshortedbyonecharacter.group-acinsteadofgroup-acs.SoinACSwhenenteringgroupnameinVALUEfieldpleaseDON’TdoENTER/newlineoryouwillhaveaproblems:-)#3IfyouuseTESTbuttoninNIOSyoucanfindthenerrorsinSysloggeneratedbytestprocedure:

ThisisnormalbehaviorfortestbuttonJ


F5 and Infoblox DNS Integrated Architecture · F5 and Infoblox DNS Integrated Architecture F5 and Infoblox DNS Integrated Architecture White Paper • • • • • • • •

F5 and Infoblox DNS Integrated Architecture · F5 and Infoblox DNS Integrated Architecture F5 and Infoblox DNS Integrated Architecture White Paper • • • • • • • •

Infoblox appliances

Infoblox appliances

DANONE - Infoblox

DANONE - Infoblox

DEPLOYMENT GUIDE Infoblox Network Insight Integration with Cisco · PDF fileDEPLOYMENT GUIDE Infoblox Network Insight Integration ... Infoblox Network Insight Integration with Cisco

DEPLOYMENT GUIDE Infoblox Network Insight Integration with Cisco · PDF fileDEPLOYMENT GUIDE Infoblox Network Insight Integration ... Infoblox Network Insight Integration with Cisco

Infoblox + Riverbed®

Infoblox + Riverbed®

Infoblox API Guide - Managing Infoblox vNIOS for Microsoft ... · Infoblox API Guide – Managing Infoblox vNIOS for Microsoft Azure March 2017 Page4 15 The Custom Deployment Use

Infoblox API Guide - Managing Infoblox vNIOS for Microsoft ... · Infoblox API Guide – Managing Infoblox vNIOS for Microsoft Azure March 2017 Page4 15 The Custom Deployment Use

Infoblox DDI Appliances

Infoblox DDI Appliances

20OF%20INTEREST.pdf OF...

20OF%20INTEREST.pdf OF...

INSTALLATION RUNBOOK FOR Infoblox vNIOS… · INSTALLATION RUNBOOK FOR Infoblox vNIOS ... secure, easy-to-deploy, and ... Infoblox delivers a fully integrated and robust DNS, DHCP,

INSTALLATION RUNBOOK FOR Infoblox vNIOS… · INSTALLATION RUNBOOK FOR Infoblox vNIOS ... secure, easy-to-deploy, and ... Infoblox delivers a fully integrated and robust DNS, DHCP,

Infoblox Installation Guide

Infoblox Installation Guide

Infoblox Installation Guide - Home - Infoblox Experts … Infoblox Installation Guide Document Overview This guide introduces the Infoblox vNIOS virtual appliance for Citrix XenServer

Infoblox Installation Guide - Home - Infoblox Experts … Infoblox Installation Guide Document Overview This guide introduces the Infoblox vNIOS virtual appliance for Citrix XenServer

INFOBLOX DNS THREAT NDE I X...QUARTERLY REPORT 2015 INFOBLOX DNS THREAT NDE I X. EXECUTIVE SUMMARY ... After dipping in Q3 2015, the threat index rebounded in Q4 2015 to 128—near

INFOBLOX DNS THREAT NDE I X...QUARTERLY REPORT 2015 INFOBLOX DNS THREAT NDE I X. EXECUTIVE SUMMARY ... After dipping in Q3 2015, the threat index rebounded in Q4 2015 to 128—near

© 2011 Infoblox Inc. All Rights Reserved. IF-MAP and GENI Richard Kagan – Infoblox.

© 2011 Infoblox Inc. All Rights Reserved. IF-MAP and GENI Richard Kagan – Infoblox.

Infoblox Administrator Guidedloads.infoblox.com/...//NIOS/NIOS_AdminGuide_5.1r5.pdf · 2012-11-26 · Infoblox Administrator Guide NIOS 5.1 for Infoblox Core Network Services AppliancesFile

Infoblox Administrator Guidedloads.infoblox.com/...//NIOS/NIOS_AdminGuide_5.1r5.pdf · 2012-11-26 · Infoblox Administrator Guide NIOS 5.1 for Infoblox Core Network Services AppliancesFile

DEPLOYMENT GUIDE Infoblox Cloud Platform and Cloud … · Infoblox Cloud Platform and Cloud Network Automation ... DEPLOYMENT GUIDE Infoblox Cloud Platform and Cloud ... Infoblox

DEPLOYMENT GUIDE Infoblox Cloud Platform and Cloud … · Infoblox Cloud Platform and Cloud Network Automation ... DEPLOYMENT GUIDE Infoblox Cloud Platform and Cloud ... Infoblox

Infoblox Deployment Guide - Implementing Infoblox TIDE ... · DEPLOYMENT GUIDE Implementing Infoblox TIDE ... Dynamic List’ section in the PAN OS ... Infoblox Deployment Guide -

Infoblox Deployment Guide - Implementing Infoblox TIDE ... · DEPLOYMENT GUIDE Implementing Infoblox TIDE ... Dynamic List’ section in the PAN OS ... Infoblox Deployment Guide -

Infoblox User Guide

Infoblox User Guide

Wp ipam infoblox

Wp ipam infoblox

Infoblox Trinzic Appliances with NIOS v8.2.6 Security Target Applianc… · Infoblox Trinzic Appliances, Infoblox Trinzic or the TOE. ... the tamper evident label must be affixed

Infoblox Trinzic Appliances with NIOS v8.2.6 Security Target Applianc… · Infoblox Trinzic Appliances, Infoblox Trinzic or the TOE. ... the tamper evident label must be affixed

Infoblox _ Bro

Infoblox _ Bro