Anchor | ||||
---|---|---|---|---|
|
In addition, you can configure a custom service, infoblox, on the TACACS+ server, and then define a user group and specify the group name in the custom attribute infoblox-admin-group. Ensure that you apply the user group to the custom service infoblox. On NIOS, you define a group with the same name and add it to the authentication policy.
Then when the TACACS+ server responds to an authentication and authorization request and includes the infoblox-admin-group attribute, NIOS can match the group name with the group in the authentication policy and automatically assign the admin to that group.
Figure 4.7 bookmark464 illustrates the TACACS+ authentication and authorization process when PAP/CHAP authentication is used.
Anchor | ||||
---|---|---|---|---|
|
...
- Create a TACACS+ authentication server group. You can create only one TACACS+ server group. For more information, see Configuring a TACACS+ Authentication Server Group bookmark467.
- Create the local admin group in NIOS that matches the user group on the TACACS+ server. Note that the NIOS admin group name must match the group name specified in the TACACS+ server and in the custom attribute. For example, if the custom attribute is infoblox-admin-group=remoteadmins1, then the admin group name must be remoteadmins1. In addition, you can designate a default admin group for remote admins. For information about configuring group permissions and privileges, see About Admin Groups.
- In the authentication policy, add the newly configured TACACS+ server group and the TACACS+ admin group name. See Defining the Authentication Policy for more information about configuring an admin policy.
...