Anchor
In addition, you can configure a custom service, infoblox, on the TACACS+ server, and then define a user group and specify the group name in the custom attribute infoblox-admin-group. Ensure that you apply the user group to the custom service infoblox. On NIOS, you define a group with the same name and add it to the authentication policy.
Then when the TACACS+ server responds to an authentication and authorization request and includes the infoblox-admin-group attribute, NIOS can match the group name with the group in the authentication policy and automatically assign the admin to that group.
Figure 4.7 The following figure illustrates the TACACS+ authentication and authorization process when PAP/CHAP authentication is used.
Figure 4.7
TACACS+ Authentication
Drawio | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
TACACS+ Accounting
When you enable TACACS+ accounting, NIOS sends the TACACS+ accounting server a TACACS+ accounting event with the same information that it sends to the Audit Log for any user command/event. NIOS sends an accounting start packet when a user first logs in successfully using TACACS+ authentication, and it sends an accounting STOP packet when a user logs out of the GUI or CLI or when a GUI or CLI session times out. If a product restarts or software failure occurs, NIOS drops any outstanding accounting packets. Note that audit log entries that are greater than 3,600 characters are truncated in accounting events sent to TACAS+ servers.
...
Configuring TACACS+
...
...
Complete the following tasks to enable NIOS and the TACACS+ servers to communicate. On each TACACS+ server that you are adding to the authentication server group:
...
- Create a TACACS+ authentication server group. You can create only one TACACS+ server group. For more information, see the Configuring a TACACS+ Authentication Server Group section.
- Create the local admin group in NIOS that matches the user group on the TACACS+ server. Note that the NIOS admin group name must match the group name specified in the TACACS+ server and in the custom attribute. For example, if the custom attribute is infoblox-admin-group=remoteadmins1, then the admin group name must be remoteadmins1. In addition, you can designate a default admin group for remote admins. For information about configuring group permissions and privileges, see see About Admin Groups.
- In the authentication policy, add the newly configured TACACS+ server group and the TACACS+ admin group name. See See Defining the Authentication Policy for more information about configuring an admin policy.
...
Configuring a TACACS+ Authentication Server Group
You can add multiple TACACS+ servers to the TACACS+ authentication server group. NIOS sends authentication requests to the TACACS+ servers in the order they are listed. NIOS sends authentication requests to the first server on the list. If that server is unreachable or generates an error, then NIOS sends the request to the next server in the list that has not been previously queried, and so on. NIOS logs an error message in syslog if all servers have been queried and they all generate errors or are unreachable.
To configure a TACACS+ authentication server group:
...