1
InfobloxNIOS7.3.xwithCiscoACS5.xforTACACS+.Comments:AdamObszynski<[email protected]>ForCiscoACS5.x(VMorHWAppliancebased)youneedtouseIEorSafari.FirefoxandChrometendtonotrenderallpolicyeditorfieldsonwebGUI.SettingsonACSenvironmentcanvarybetweendifferentenvironments.ButACSadminwhousesthesystemondailybasiswillknowhowtousementionedheredirectionsandlogicaldependencies.
AUTHENTICATIONTosimplyauthenticateusers,YouneedtodefineGRIDMasterIPasTACACS+enableddeviceanddefinesharedpasswordthatwillmatchonbothsides–NIOSGMandACS.InACSGUIgotoNetworkResources>NetworkDevicesandAAAClientsandclickCreateEnterNameandSingleIPAddressfields.BesurethatTACACS+ischeckedandSharedSecretissameasonGM.Don’tforgetaboutGMC.
2
GotoGridMasterAdministration->AuthenticationServerGroups->TACACS+Services,clickADD(+).
FillIPAddressandSharedSecretfields.Remembertouse“Add”buttoninthemiddle/rightofthescreen.Thenyoushouldgetwindowlikethis:
Save&Closethen.
3
Thenyouneedtofollowdocumentedpath(AdminGuide)anddefineTACACS+usageforusersauthentication.TodoitGotoAdministration->Administrators->AuthenticationPolicy,selectdefinedalreadyTACACS+servicepoint.RememberaboutAddbutton.
Finally,youneedTACACS+tobethefirstchoice.Selectanduserarrowontheleftside:
REDLIGHT!IfyouhavedefaultACSsettings(defaultinstallation)orifyouuseddefaultNIOSsettingsforTACACS+serverdefinition(AuthenticationType==CHAP)YouneedtoenableCHAPonACSsideORdoachangeonNIOSside.ACSsupportsbydefaultASCIIandPAPonly.IwouldrecommendtouseCHAPasaminimum...SoinACSyouneedtoenableCHAP:GotoAccessPolicies>AccessServices>DefaultNetworkAccess>AllowedProtocolsandputcheckboxnexttoAllowCHAP:
4
Submit.IfthisisdefaultACSinstallyouneedtoadduserfirstJ.InACSgotoUsersandIdentityStores>InternalIdentityStores>UsersclickCreateanddefineuser/password:
FortestproposesopendifferentwebbrowserorprivatewindowsessiontoyourGMandloginbyusingnewlycreateduser.OnscreenabovescreenmentionalamakotauserbutIuseduser4acsinsystemandalamakotaisforscreencaptureonly:-).Trytologinbyusingnewlycreateduser.PleasealsoobserveNIOS/GMsyslog.
ErrorlikethistypicallymeansthatthereisnoconnectivitytoyourACSfromGMoryoudon’thaveCHAPenabledinACSJ
5
CorrectauthenticationcanbecheckedinAuditLog.
FirstoneisrelatedtobadlyconfiguredACS.LastlineiscorrectoneafterCHAPwasenabled.(verybasiccasewithdefaultACSinstallmentionedearlier).YELLOWLIGHT!OfcourseInfobloxGRIDuserspermissionsandgroupmappingneedstobedefined.TheAuthenticationonlycasewasdonejustfortestswithverylazydefinitionwhenlastresortauthentication(incaseofnothingmatchedfirst)givesadmin-groupwhichisBADthingforLABuseONLY.ItwassetinthebottomofAuthenticationPolicypageinAdministration/AdministratorsmenuofGM.
PLEASEDONOTUSEthisinPRODUCTION.UseAuthorizationwhichcomesnext!:-)andminimumornonerightsifnotsinglegroupismatched.
AUTHORIZATIONRemotegroupcalledgroup-acsiscreatedonNIOStoauthorizeuserintogroupwithlimitedrights.
6
NowtimeforACSside.GotoPolicyElements>AuthorizationandPermissions>DeviceAdministration>ShellProfiles,thenCreateInGeneral/Nameenterprofilenameie.“infoblox”.
TheninCustomerAttributestabdefineattributethatwilldefinegroupmapping.InmyexamplethereisstaticdefinitionthatmapsgroupnamecreatedonNIOS/GM(group-acs).WhenACSisusingexternalMSActiveDirectoryyoucanuseDynamicsettingsforAttributeValuetouseGroupfromADstructure.ThemostimportantcaseisAttributenameinneedstobealllowercase:infoblox-admin-groupSamplescreenwithstaticgroupdefinition:
7
Pleaseremembertoaddvaluebyclicking“Add/\”button,thenSave.Finalview:
Fromthatpointsettingmaybedifferentforeachcustomer.DataprovidedbelowisfromsimplifiedLABenvironment.FornextfewstepswithACSFirefoxbrowserwillnoworkcorrectly!!!GotoAccessPolicies>AccessServices>ServiceSelectionRulesSelectSinglecheckboxandselectDefaultDeviceAdminfromdropdownmenu.
8
ChangingtoSingleresultselectioncanbreakyourACSpolicesifthisisproductionsystem.PleaseaskACSadminforhelpwithpolices.AsresultwewanttosendspecificgrouptoNIOSauthorization.NothingmoreJ.ThiscanbeverysimplyscenariofromLABlikeonourscreensoritcanbeadvancedmultilevelgroupmatchingetc.Yourmileagemayvary.
Save.GotoAccessPolicies>AccessServices>DefaultDeviceAdmin>AuthorizationClick“CUSTOMIZE”(bottomright)buttonandcheck/addDeviceIPAddressandShellProfileareavailableforselection.ClosewindowsbyusingOKbutton.
9
ThenclickCreate/Save.WARNING:InunsupportedbrowserCreatebuttonwillbegreyedout!FormeWindows-IEandMAC-Safariworkedfine.Firefox&Chromedidn’t.UnderGeneral,namethenewruleie.InfobloxGMandensurethatitisenabled.UnderConditions,selectthecheckboxnexttoDeviceIPAddress,andtypetheIPaddressoftheInfobloxGMappliance(inmycase192.168.0.73)UnderResults,clicktheSelectbutton,locatednexttotheShellProfilefield,andselectoneyoucreatedearlier(inmycaseinfoblox),andclickOK.ClickOKtoclosethewindow.
ClickSaveChanges,locatedatthebottomofthepage.
InmeantimecheckthatyouhavecorrectInfobloxGMgroupmappingswithusingsamegroupnameinNIOSasitisdefinedinACS(orfinallyADetc.).
10
OnACSyoucancheckifACSauth.worksinMonitoringandReportsmenu.ThenonDashboardofViewerwindowlookfor“Authentications-TACACS–Today”Report.TogetdetailsaboutwhatAuthorizationdatawassenttoInfobloxGMyouneedtoexpandtreeviewReports->Catalog->AAAProtocolandselectTACACS_Authorizationreport.Intherightupperpartofusersessionyouwillseeresultwithmapping:
FinallytimetotestitonNIOSGM.
11
WellDONE!Errors.ThiserrorinAuditLogmeansthereisnocorrectgroupnameorattributenamepassedfromACStoNIOS:
Whattodo?CheckNIOSGroupname.CheckInfobloxAVattributenameonACS–needstobeinfoblox-admin-groupalllowercase.CheckonACSMonitoring(AAAProtocols/AAAAuthorization)->Details.WhatattributenameandattributevalewassenttoNIOS.DuringpreparationofthisdocumentIfindmyself3errorsYoushouldbeawareof:#1infoblox-admin-groupAVnameonACSwaschangedbyspellcheckertoInfoblox-admin-group–firstletterCAPITAL…#2Groupnamewasshortedbyonecharacter.group-acinsteadofgroup-acs.SoinACSwhenenteringgroupnameinVALUEfieldpleaseDON’TdoENTER/newlineoryouwillhaveaproblems:-)#3IfyouuseTESTbuttoninNIOSyoucanfindthenerrorsinSysloggeneratedbytestprocedure:
ThisisnormalbehaviorfortestbuttonJ
Top Related