Versions Compared

Version Old Version 1 New Version Current
Changes made by

Aliaksei Shautsou

Ryan Kulek (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Active Directory™ (AD)

Anchor
bookmark458
bookmark458
is a distributed directory service that is a repository for user information. The NIOS appliance can authenticate admin accounts by verifying user names and passwords against Active Directory. In addition, the NIOS appliance queries the AD domain controller for the group membership information of the admin. The appliance matches the group names from the domain controller with the admin groups on its local database. It then authorizes services and grants the admin privileges, based upon the matching admin group on the appliance.
Figure 4.6 bookmark459 illustrates the Active Directory authentication process.

Anchor
bookmark459
bookmark459
Figure 4.6 Authentication Using a Domain Controller Administrator NIOS Appliance Domain Controller
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
Image Removed
1 A user makes an HTTPS connection to the NIOS appliance and sends an account name and password.

  1. The appliance checks the authentication policy to determine which authentication service to use. The authentication policy

...

  1. The appliance sends an authentication request to the first domain controller in the AD server group. The appliance also

requests the group membership information of the admin.
4aThe appliance lets the user log in and applies the authorization profile.
The appliance grants all permissions specific to the administrator based on the group membership sent from the domain controller associated with the admin account. If there is no group membership information for the admin, the default group is assigned (if configured).
Authentication is successful. The domain controller successfully authenticates the admin user. The group membership information for the administrator is sent to the appliance. The first group in the list that matches the groups returned by the domain controller is assigned to the admin, along with the associated permissions after that admin logs in.
The appliance does not allow the user to log in.4b Authentication is unsuccessful. The domain controller sends back a deny
access result to the appliance. No group membership information is sent.

Drawio
border1
baseUrlhttps://infoblox-docs.atlassian.net/wiki
diagramName4.6
zoom1
pageId22250294
custContentId7083247
lbox1
contentVer1
revision2

To configure NIOS to authenticate administrators using Active Directory domain controller groups, you must first configure user accounts on the domain controller. Then, on the NIOS appliance, do the following:

...

  • bookmark460 bookmark460.
  • If you configured admin groups on the AD controller, you must create those same groups on the NIOS appliance and specify their privileges and settings. Note that the admin group names must match those on the AD domain controller. You can specify a default group as well. The NIOS appliance assigns admins to the default group if none of the admin groups on the NIOS appliance match the admin groups on the AD domain controller or if there are no other admin groups configured. For information about configuring group permissions and privileges, see About Admin Groups0.
  • Add the newly configured Active Directory service to the list of authentication services in the admin policy, and add the admin group names as well. See Defining the Authentication Policy for more information about configuring an admin policy.


Anchor
bookmark460
bookmark460
Configuring an Active Directory Authentication Service Group
You can add multiple domain controllers to an AD authentication server group for redundancy. The NIOS appliance tries to connect with the first domain controller on the list. If it is unable to connect, it tries the next domain controller on the list, and so on.
To configure an Active Directory authentication server group on the NIOS appliance:

...

When you add multiple domain controllers, the appliance lists the servers in the order you added them. This list also determines the order in which the NIOS appliance attempts to contact a domain controller. You can move a server up or down the list by selecting it and clicking the up or down arrow.
You can also delete a domain controller by selecting it and clicking the Delete icon.

  • Timeout(s): The number of seconds that the NIOS appliance waits for a response from the specified authentication server. The default is 5.
  • Comment: Enter additional information about the service.
  • Disable: Select this to retain an inactive AD authentication service profile.

   4. Save the configuration and click Restart if it appears at the top of the screen. Image Removed
220NIOS Administrator Guide (Rev. A)NIOS 8.1
Authenticating Admin Accounts Using TACACS+

Anchor
Enabling Active Directory Authentication
Enabling Active Directory Authentication
Anchor
bookmark461
bookmark461
Enabling Active Directory Authentication for Nested Groups

...

  1. From the Administration tab, click the Authentication Server Groups tab.
  2. Click the Active Directory Services subtab and click the Add icon.
  3. In the Add Active Directory Authentication Service wizard, complete the following:

...

    • Nested Group Query: This check box is deselected by default, meaning the nested group query is disabled. When nested group query is disabled, AD authentication service is applied to only one group of which the AD admin is a member. When you select this check box, AD authentication service is applied to all the nested groups of which an AD admin is a member. This setting is applicable to all the AD servers configured for the Active Directory authentication service.
  1. Save the configuration.