About Remote Admins
- Panna .
You can configure the appliance to authenticate admins whose user credentials are stored on a RADIUS server, AD domain controller, or TACACS+ server.
To authenticate admins using RADIUS, Active Directory or TACACS+, you must define those services on the appliance and define the admin policy. The admin policy lists which authentication services to use and in what order.
The authentication policy also lists the local admin groups that match the remote admin groups. If you configured admin groups on the remote authentication server, you must configure admin groups with the same names on the appliance so it can assign remote admins to the correct group. If you did not configure admin groups on the remote authentication server, you must configure a default group for remote admins on the appliance.
When an admin logs in with a user name and password, the appliance uses the first service listed in the admin policy to authenticate the admin. If authentication fails, the appliance tries the next service listed, and so on. It tries each service on the list until it is successful or all services fail. If all services fail, then the appliance denies access.
If authentication succeeds, the appliance determines the admin's privileges based on the admin group of the admin. It tries to match the admin group names in the admin policy to any groups received from the remote server. If it finds a match, the appliance applies the privileges of that group to the admin and allows access. If the appliance does not find a match, then it applies the privileges of the default group. If no default group is defined, then the appliance denies access. Figure 4.2 illustrates the authentication and authorization process for remote admins.
Figure 4.2 Authenticating Remote Admins
To configure the appliance to authenticate admins against a RADIUS server and an AD controller:
- Configure the RADIUS and AD authentication services. For information about the RADIUS authentication service, see /wiki/spaces/mgmadminguide/pages/911181117. For information about the AD authentication service, see /wiki/spaces/mgmadminguide/pages/911181205
- Configure admin groups that match those on the remote server. Optionally, specify a default admin group. For information about admin groups, see /wiki/spaces/mgmadminguide/pages/911180917.
- Configure the admin policy, as described in /wiki/spaces/mgmadminguide/pages/911181365
Note: Infoblox strongly recommends that even if you are using remote authentication, you must always have at least one local admin in a local admin group to ensure connectivity to the appliance in case the remote servers become unreachable.