You can configure NIOS to authenticate admins against TACACS+ (Terminal Access Controller Access-Control System Plus) servers. TACACS+ provides separate authentication, authorization, and accounting services. To ensure reliable delivery, it uses TCP as its transport protocol, and to ensure confidentiality, all protocol exchanges between the TACACS+ server and its clients are encrypted. For detailed information about TACACS+, refer to the Internet draft httphttps://tools.ietf.org/html/draft-grant-tacacs-02.
In addition, you can configure a custom service, infoblox, on the TACACS+ server, and then define a user group and specify the group name in the custom attribute infoblox-admin-group. Ensure that you apply the user group to the custom service infoblox. On NIOS, you define a group with the same name and add it to the authentication policy.
Then when the TACACS+ server responds to an authentication and authorization request and includes the infoblox-admin-group attribute, NIOS can match the group name with the group in the authentication policy and automatically assign the admin to that group.
The following figure illustrates the TACACS+ authentication and authorization process when PAP/CHAP authentication is used.
TACACS+ Authentication
...
Create a TACACS+ authentication server group. You can create only one TACACS+ server group. For more information, see Configuring a TACACS+ Authentication Server Group below.
Create the local admin group in NIOS that matches the user group on the TACACS+ server. Note that the NIOS admin group name must match the group name specified in the TACACS+ server and in the custom attribute. For example, if the custom attribute is infoblox-admin-group=remoteadmins1, then the admin group name must be remoteadmins1. In addition, you can designate a default admin group for remote admins. For information about configuring group permissions and privileges, see About Admin Groups.
In the authentication policy, add the newly configured TACACS+ server group and the TACACS+ admin group name. See Defining the Authentication Policy Defining the Authentication Policyfor more information about configuring an admin policy.
...