Infoblox Deployment Guide Nios Integration With Radius
Infoblox Deployment Guide Nios Integration With Radius
Overview 2
Authentication 2
Authentication Prerequisites 2
Workflow 2
Depending on where admin user credentials are stored, you can configure the NIOS appliance
to authenticate admins locally or remotely. When you configure the authentication type as
"local," NIOS authenticates admins against its local database. When you configure the
authentication type as "remote," NIOS authenticates admins whose user credentials are stored
remotely on authentication servers, such as RADIUS servers, AD domain controllers, LDAP
servers, or TACACS+ servers.
This deployment guide covers remote authentication for Administrators using supported
RADIUS Servers.
Authentication
NIOS can authenticate admins whose user credentials are stored remotely on RADIUS servers.
It requires authentication server groups to be configured. For example, you can create a server
group for RADIUS servers. Then in the admin authentication policy, you can list which
authentication server groups to use and in what order.
Authentication Prerequisites
A RADIUS Server (FreeRadius is used in the examples provided in this guide) configured to
accept Access Request packets from NIOS. The following options must be configured for NIOS
to communicate with the RADIUS Server:
Workflow
1. User connects to NIOS via https and sends in the username and password.
2. NIOS checks the remote admin policy which lists the Radius Server group.
3. NIOS sends an Access Request packet to the server ordered first in the Radius Server
group.
4. Either of the following two possibilities will occur next:
a. If NIOS receives an Access Accept packet from the Radius server
and can match the user to a group configured in NIOS, it lets the
user log in and applies the authorization profile.
b. NIOS does not allow the user to log in if it receives an Access
Reject packet from the Radius Server.
Type a name for the group in the Name field. In our example we used Radius-Group.
Click +.
Select the Authentication type from the list as PAP or CHAP. Default is PAP.
Enter Shared secret as defined in the clients file in Shared Secret field.
Click Test to see if NIOS can establish successful connection with the RADIUS server. A
message in blue is displayed upon successful connection.
Click Add.
Optionally, modify the Authentication settings and Accounting settings
Optionally, modify the Recovery Interval settings.
Click +.
Under the Add Authentication Service section, select RADIUS and choose the appropriate
RADIUS authentication Server Group from the drop-down menu.
The order can be customized as required. If you want NIOS to always authenticate users via the
RADIUS Server first, please move the RADIUS policy above the Local Admin policy, you can
reorder the list by selecting a group and using the arrow keys to move it up or down the list.
As a best practice, Local Admin policy may be placed before Radius policy.
The appliance matches a remote admin to a group in the order the groups are listed. When the
appliance receives information that an admin belongs to one or more groups, the appliance
assigns the user to the first group in the list that matches. It assigns the admin to the default
group, if specified, if the authentication server returns no groups, or if the appliance does not
find a group in the local database that matches the group returned by the authentication server.
To configure the remote admin group list go to Administration > Administrators >
Authentication Policy. In the Authentication Server Groups is the authority for section,
keep the default selection
(Remote users, their passwords and their groups ownership).
In order for the appliance to assign a remote admin to the correct group, you must list the admin
groups in the local database that match the remote admin groups. The appliance matches a
remote admin to a group in the order the groups are listed.
Note: The group you are going to add must already be there under
Administration > Administrators > Groups tab.
Complete the following to configure the remote admin group list:
Click the + icon in Map the remote admin group to the local group in this order to add an
admin group to the list.
In our example we added group dhcp-admin by selecting it in Admin Group Selector.
You can also define a default admin group to which NIOS assigns remote users with no admin
groups listed. In order to select a default admin group, click Select next to Assign user to this
group if remote admin group cannot be found.
In our example we selected admin-group from Admin Group Selector:
Once you click on Profile under the active username, the User Profile window pops up.
The User Profile window shows the user to be of type Remote along with its group
membership. This verifies the user is authenticated remotely via RADIUS Server.
Users that are authenticated against the local database are of type Local.