Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Answered Question
Mar 29th, 2010

Hi there,

I have an issue with Cisco ACS and an Infoblox appliance. We want to authenticate users, that login on the Infoblox, via the Cisco ACS. After that the ACS should reply with a passed (RADIUS) authentication and reply with an administrative groupname that the user belongs on the Infoblox. To do this I have to import a VSA to have the option in the ACS to reply with this groupname. On the Infoblox these groups are allready made and this must match the group that the ACS replies.

Now I have imported the VSA and configured an AAA client (infoblox) to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting I've turned on the Infoblox-Group_info  attribute and filled in a specific groupname that the authenticated user belongs to. Now here comes the part where the group info is returned, but the Infoblox Appliance gives me a RADIUS error reply message. As I can see in the logs of the ACS the authentication part of the user is fine. So it has to be between the info that the ACS replies with, when the user logs in.

I've attach the VSA and a *.pcap of wireshark to see what's going on.

Can anyone advice of suggest any option that can make this thing work.

With regards,

Richard Gosen

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 6 months ago

Hi Richard,

Please find attached accountsActions to delete it, and you can use your original accountsActions to readd the VSA.

Hope that works.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
richardgosen Mon, 03/29/2010 - 07:30

Hello Halijenn,

Thank you for your reply.

The version of ACS is so it make sense why this is not working.

Where can I apply for this patch?

With regards,

Richard Gosen

richardgosen Tue, 03/30/2010 - 23:02


Thanks for your info.

I've applied the patch, but the ACS still sends a malformed packet back to the Infoblox when a user tries to login.

The ACS is rebooted and the VSA is re-enabled with the specific group info.

Am I missing something here?

With regards,

Richard Gosen

richardgosen Wed, 03/31/2010 - 07:52

Should I make a *.csv to delete all the records that the imported VSA.csv, as mentioned previously, has created?

This Cisco ACS is not my core knowledge

Maybe you can confirm that I must use action code 161 to delete this VSA. I didn't see any option to delete it in the Solution Engine.

Can you put me in a right direction?

richardgosen Thu, 04/08/2010 - 07:25


Unfortunatly the above solution doesn't do the trick. When I delete the imported VSA, via the attached *.csv, the Infoblox attributes still shows up when I re-add the Infoblox appliance to a network device group en there choose "Radius (Infoblox)" for the authentication. After deleting the VSA I have restarted the ACS SE. The returned acknowledgment from the ACS still presents a malformed packet. When I uncheck the checkbox of the "RADIUS (Infoblox)" attribute in the group settings, then it shows no malformed packet, but no group information is sent either.

Again I have imported the original accountsAction.csv and restarted the SE, but it still returns malformed packets.

Any other possibilities?

Kind regards,

Richard Gosen

richardgosen Fri, 04/30/2010 - 00:19


I have re-imaged the ACS with the recovery DVD and applied the patch Next I imported the VSA and rebooted the server. After this I added the Infoblox appliance and could choose the VSA for authentication. Under "interface configuration" I clicked "INfoblox attributes" and checked the group specific info checkbox.

In the group setup you can check the group specific info and add a groupname that is also in the Infoblox appliance. When a user logs into the appliance it gets redirected to the right group.

Everything is working fine. I guess the ACS was a bit messy.

Thank you Halijenn for your great support.


This Discussion