Wednesday, April 27, 2016

infoblox and cisco ACS 5.x

Here's a short  "HOWTO"  for  enabling AAA tacacs+ between infoblox and cisco ACS with authorizations for roles. You will  need to 1st define the AAA client ( infoblox ) and common key within ciscoACS.

Once you have your devtype and tacacs+ key create you can start the rest of the configuration tasks.

1: within  ACS  we will craft a  shell profile for authorization with a defined custom  attribute that will be our group that we will use in   infoblox AAA settings

Next, we will jump to the  infoblox server and under the general setting authentication servers, we will define the following;

  • The AAA profile  name
  • Define AAA servers
  • Craft a role-map to systems ROLEs

 Take note that the  1st figure above has disable authorization unchecked.This allows for ciscoACS shellProfile custom attribute to be applied for authorization.

So at this point we have  group mapping to our roles, AAA servers defined with the right ipv4 address and key+port and a AAA definition name "ACSaun" crafted.

So the only piece left is a policy for this AAA client with the earlier shell built profile. For the roles we can map multiple defined roles to our role-group and/or craft multiple roles mapping.


( a new role map name REPRT )

When you have the correct groups and access-policy in ciscoACS you can now execute a systems test b4 setting the remote-auth as priority for user authentication via Tacs_Plus

and finally you can login if the above testing from  infoblox was  a success

Don't  forget to sequence the  order of authentication profiles from local to tacacs+.

For roles access you will one of the following  pages display if your role doesn't allow that task.

Here my REPRT ( reports and event role ) does NOT allow for configurations changes.So if I try to execute any configuration changes the following will be displayed.

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment