Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
bookmark463
bookmark463
You can configure NIOS to authenticate admins against TACACS+ (Terminal Access Controller Access-Control System Plus) servers. TACACS+ provides separate authentication, authorization, and accounting services. To ensure reliable delivery, it uses TCP as its transport protocol, and to ensure confidentiality, all protocol exchanges between the TACACS+ server and its clients are encrypted. For detailed information about TACACS+, refer to the Internet draft http://tools.ietf.org/html/draft-grant-tacacs-02.
In addition, you can configure a custom service, infoblox, on the TACACS+ server, and then define a user group and specify the group name in the custom attribute infoblox-admin-group. Ensure that you apply the user group to the custom service infoblox. On NIOS, you define a group with the same name and add it to the authentication policy.
Then when the TACACS+ server responds to an authentication and authorization request and includes the infoblox-admin-group attribute, NIOS can match the group name with the group in the authentication policy and automatically assign the admin to that group.
Figure 4.7 illustrates the TACACS+ authentication and authorization process when PAP/CHAP authentication is used.

Anchor
bookmark464
bookmark464
Figure 4.7 TACACS+ Authentication
Image Removed
Image Removed
Image Removed
Image Removed
Administrator NIOS Appliance TACACS+ Servers
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
A user makes an HTTPS connection to
1 the NIOS appliance and sends an
account name and password.

2 The appliance checks the authentication policy, which specifies the TACACS+
authentication server group.

  1. The appliance sends an AUTHENTICATION START message with the user's credentials.
  1. The TACACS+ server sends an AUTHENTICATION REPLY indicating the admin was successfully authenticated.
  1. The appliance sends an AUTHORIZATION REQUEST with the

attribute-value string for the "infoblox" service.
NIOS allows the user to log in and assigns it to the admin group in the authentication policy that matches the group in the custom attribute.
If NIOS does not find a matching group in the authentication policy, it assigns the user to the default admin group.

6a The TACACS+ server sends an AUTHORIZATION RESPONSE
indicating authorization succeeded and includes the custom attribute
"infoblox-admin-group".
The appliance does not allow the user to log in.

6b The TACACS+ server sends a REPLY message indicating authentication
and/or authorization is unsuccessful. Image Added <place for figure>

Anchor
TACACS+ Accounting
TACACS+ Accounting
Anchor
bookmark465
bookmark465
TACACS+ Accounting
When you enable TACACS+ accounting, NIOS sends the TACACS+ accounting server a TACACS+ accounting event with the same information that it sends to the Audit Log for any user command/event. NIOS sends an accounting start packet when a user first logs in successfully using TACACS+ authentication, and it sends an accounting STOP packet when a user logs out of the GUI or CLI or when a GUI or CLI session times out. If a product restarts or software failure occurs, NIOS drops any outstanding accounting packets. Note that audit log entries that are greater than 3,600 characters are truncated in accounting events sent to TACAS+ servers.

...