1

InfobloxNIOS7.3.xwithCiscoACS5.xforTACACS+.Comments:AdamObszynski<aobszynski@infoblox.com>ForCiscoACS5.x(VMorHWAppliancebased)youneedtouseIEorSafari.FirefoxandChrometendtonotrenderallpolicyeditorfieldsonwebGUI.SettingsonACSenvironmentcanvarybetweendifferentenvironments.ButACSadminwhousesthesystemondailybasiswillknowhowtousementionedheredirectionsandlogicaldependencies.

AUTHENTICATIONTosimplyauthenticateusers,YouneedtodefineGRIDMasterIPasTACACS+enableddeviceanddefinesharedpasswordthatwillmatchonbothsides–NIOSGMandACS.InACSGUIgotoNetworkResources>NetworkDevicesandAAAClientsandclickCreateEnterNameandSingleIPAddressfields.BesurethatTACACS+ischeckedandSharedSecretissameasonGM.Don’tforgetaboutGMC.

2

GotoGridMasterAdministration->AuthenticationServerGroups->TACACS+Services,clickADD(+).

FillIPAddressandSharedSecretfields.Remembertouse“Add”buttoninthemiddle/rightofthescreen.Thenyoushouldgetwindowlikethis:

Save&Closethen.

3

Thenyouneedtofollowdocumentedpath(AdminGuide)anddefineTACACS+usageforusersauthentication.TodoitGotoAdministration->Administrators->AuthenticationPolicy,selectdefinedalreadyTACACS+servicepoint.RememberaboutAddbutton.

Finally,youneedTACACS+tobethefirstchoice.Selectanduserarrowontheleftside:

REDLIGHT!IfyouhavedefaultACSsettings(defaultinstallation)orifyouuseddefaultNIOSsettingsforTACACS+serverdefinition(AuthenticationType==CHAP)YouneedtoenableCHAPonACSsideORdoachangeonNIOSside.ACSsupportsbydefaultASCIIandPAPonly.IwouldrecommendtouseCHAPasaminimum...SoinACSyouneedtoenableCHAP:GotoAccessPolicies>AccessServices>DefaultNetworkAccess>AllowedProtocolsandputcheckboxnexttoAllowCHAP:

4

Submit.IfthisisdefaultACSinstallyouneedtoadduserfirstJ.InACSgotoUsersandIdentityStores>InternalIdentityStores>UsersclickCreateanddefineuser/password:

FortestproposesopendifferentwebbrowserorprivatewindowsessiontoyourGMandloginbyusingnewlycreateduser.OnscreenabovescreenmentionalamakotauserbutIuseduser4acsinsystemandalamakotaisforscreencaptureonly:-).Trytologinbyusingnewlycreateduser.PleasealsoobserveNIOS/GMsyslog.

ErrorlikethistypicallymeansthatthereisnoconnectivitytoyourACSfromGMoryoudon’thaveCHAPenabledinACSJ

5

CorrectauthenticationcanbecheckedinAuditLog.

FirstoneisrelatedtobadlyconfiguredACS.LastlineiscorrectoneafterCHAPwasenabled.(verybasiccasewithdefaultACSinstallmentionedearlier).YELLOWLIGHT!OfcourseInfobloxGRIDuserspermissionsandgroupmappingneedstobedefined.TheAuthenticationonlycasewasdonejustfortestswithverylazydefinitionwhenlastresortauthentication(incaseofnothingmatchedfirst)givesadmin-groupwhichisBADthingforLABuseONLY.ItwassetinthebottomofAuthenticationPolicypageinAdministration/AdministratorsmenuofGM.

PLEASEDONOTUSEthisinPRODUCTION.UseAuthorizationwhichcomesnext!:-)andminimumornonerightsifnotsinglegroupismatched.

AUTHORIZATIONRemotegroupcalledgroup-acsiscreatedonNIOStoauthorizeuserintogroupwithlimitedrights.

6

NowtimeforACSside.GotoPolicyElements>AuthorizationandPermissions>DeviceAdministration>ShellProfiles,thenCreateInGeneral/Nameenterprofilenameie.“infoblox”.

TheninCustomerAttributestabdefineattributethatwilldefinegroupmapping.InmyexamplethereisstaticdefinitionthatmapsgroupnamecreatedonNIOS/GM(group-acs).WhenACSisusingexternalMSActiveDirectoryyoucanuseDynamicsettingsforAttributeValuetouseGroupfromADstructure.ThemostimportantcaseisAttributenameinneedstobealllowercase:infoblox-admin-groupSamplescreenwithstaticgroupdefinition:

7

Pleaseremembertoaddvaluebyclicking“Add/\”button,thenSave.Finalview:

Fromthatpointsettingmaybedifferentforeachcustomer.DataprovidedbelowisfromsimplifiedLABenvironment.FornextfewstepswithACSFirefoxbrowserwillnoworkcorrectly!!!GotoAccessPolicies>AccessServices>ServiceSelectionRulesSelectSinglecheckboxandselectDefaultDeviceAdminfromdropdownmenu.

8

ChangingtoSingleresultselectioncanbreakyourACSpolicesifthisisproductionsystem.PleaseaskACSadminforhelpwithpolices.AsresultwewanttosendspecificgrouptoNIOSauthorization.NothingmoreJ.ThiscanbeverysimplyscenariofromLABlikeonourscreensoritcanbeadvancedmultilevelgroupmatchingetc.Yourmileagemayvary.

Save.GotoAccessPolicies>AccessServices>DefaultDeviceAdmin>AuthorizationClick“CUSTOMIZE”(bottomright)buttonandcheck/addDeviceIPAddressandShellProfileareavailableforselection.ClosewindowsbyusingOKbutton.

9

ThenclickCreate/Save.WARNING:InunsupportedbrowserCreatebuttonwillbegreyedout!FormeWindows-IEandMAC-Safariworkedfine.Firefox&Chromedidn’t.UnderGeneral,namethenewruleie.InfobloxGMandensurethatitisenabled.UnderConditions,selectthecheckboxnexttoDeviceIPAddress,andtypetheIPaddressoftheInfobloxGMappliance(inmycase192.168.0.73)UnderResults,clicktheSelectbutton,locatednexttotheShellProfilefield,andselectoneyoucreatedearlier(inmycaseinfoblox),andclickOK.ClickOKtoclosethewindow.

ClickSaveChanges,locatedatthebottomofthepage.

InmeantimecheckthatyouhavecorrectInfobloxGMgroupmappingswithusingsamegroupnameinNIOSasitisdefinedinACS(orfinallyADetc.).

10

OnACSyoucancheckifACSauth.worksinMonitoringandReportsmenu.ThenonDashboardofViewerwindowlookfor“Authentications-TACACS–Today”Report.TogetdetailsaboutwhatAuthorizationdatawassenttoInfobloxGMyouneedtoexpandtreeviewReports->Catalog->AAAProtocolandselectTACACS_Authorizationreport.Intherightupperpartofusersessionyouwillseeresultwithmapping:

FinallytimetotestitonNIOSGM.

11

WellDONE!Errors.ThiserrorinAuditLogmeansthereisnocorrectgroupnameorattributenamepassedfromACStoNIOS:

Whattodo?CheckNIOSGroupname.CheckInfobloxAVattributenameonACS–needstobeinfoblox-admin-groupalllowercase.CheckonACSMonitoring(AAAProtocols/AAAAuthorization)->Details.WhatattributenameandattributevalewassenttoNIOS.DuringpreparationofthisdocumentIfindmyself3errorsYoushouldbeawareof:#1infoblox-admin-groupAVnameonACSwaschangedbyspellcheckertoInfoblox-admin-group–firstletterCAPITAL…#2Groupnamewasshortedbyonecharacter.group-acinsteadofgroup-acs.SoinACSwhenenteringgroupnameinVALUEfieldpleaseDON’TdoENTER/newlineoryouwillhaveaproblems:-)#3IfyouuseTESTbuttoninNIOSyoucanfindthenerrorsinSysloggeneratedbytestprocedure:

ThisisnormalbehaviorfortestbuttonJ