Once you have your devtype and tacacs+ key create you can start the rest of the configuration tasks.
1: within ACS we will craft a shell profile for authorization with a defined custom attribute that will be our group that we will use in infoblox AAA settings
Next, we will jump to the infoblox server and under the general setting authentication servers, we will define the following;
- The AAA profile name
- Define AAA servers
- Craft a role-map to systems ROLEs
Take note that the 1st figure above has disable authorization unchecked.This allows for ciscoACS shellProfile custom attribute to be applied for authorization.
So at this point we have group mapping to our roles, AAA servers defined with the right ipv4 address and key+port and a AAA definition name "ACSaun" crafted.
So the only piece left is a policy for this AAA client with the earlier shell built profile. For the roles we can map multiple defined roles to our role-group and/or craft multiple roles mapping.
e.g
( a new role map name REPRT )
When you have the correct groups and access-policy in ciscoACS you can now execute a systems test b4 setting the remote-auth as priority for user authentication via Tacs_Plus
and finally you can login if the above testing from infoblox was a success
Don't forget to sequence the order of authentication profiles from local to tacacs+.
For roles access you will one of the following pages display if your role doesn't allow that task.
Here my REPRT ( reports and event role ) does NOT allow for configurations changes.So if I try to execute any configuration changes the following will be displayed.
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment