Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Hi there,

I have an issue with Cisco ACS and an Infoblox appliance. We want to authenticate users, that login on the Infoblox, via the Cisco ACS. After that the ACS should reply with a passed (RADIUS) authentication and reply with an administrative groupname that the user belongs on the Infoblox. To do this I have to import a VSA to have the option in the ACS to reply with this groupname. On the Infoblox these groups are allready made and this must match the group that the ACS replies.

Now I have imported the VSA and configured an AAA client (infoblox) to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting I've turned on the Infoblox-Group_info  attribute and filled in a specific groupname that the authenticated user belongs to. Now here comes the part where the group info is returned, but the Infoblox Appliance gives me a RADIUS error reply message. As I can see in the logs of the ACS the authentication part of the user is fine. So it has to be between the info that the ACS replies with, when the user logs in.

I've attach the VSA and a *.pcap of wireshark to see what's going on.

Can anyone advice of suggest any option that can make this thing work.

With regards,

Richard Gosen

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Hi Richard,

Please find attached accountsActions to delete it, and you can use your original accountsActions to readd the VSA.

Hope that works.

10 REPLIES
Cisco Employee

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Hi Richard,

Seems to be matching this bugID: CSCsv65072:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv65072

Which version are you running?

For 4.2.0.124, patch 8 or later has the fix.

For 4.1.4.13, patch 13 or later has the fix.

Hope that helps.

New Member

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Hello Halijenn,

Thank you for your reply.

The version of ACS is 4.2.0.124 so it make sense why this is not working.

Where can I apply for this patch?

With regards,

Richard Gosen

Cisco Employee

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

You can download the patch from here:

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
New Member

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Halijenn,

Thanks for your info.

I've applied the patch 4.2.0.124.15, but the ACS still sends a malformed packet back to the Infoblox when a user tries to login.

The ACS is rebooted and the VSA is re-enabled with the specific group info.

Am I missing something here?

With regards,

Richard Gosen

Cisco Employee

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Please remove the VSA, and re-add it. It should work after you re-add it.

New Member

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Should I make a *.csv to delete all the records that the imported VSA.csv, as mentioned previously, has created?

This Cisco ACS is not my core knowledge

Maybe you can confirm that I must use action code 161 to delete this VSA. I didn't see any option to delete it in the Solution Engine.

Can you put me in a right direction?

Cisco Employee

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Hi Richard,

Please find attached accountsActions to delete it, and you can use your original accountsActions to readd the VSA.

Hope that works.

New Member

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Halijenn,

Unfortunatly the above solution doesn't do the trick. When I delete the imported VSA, via the attached *.csv, the Infoblox attributes still shows up when I re-add the Infoblox appliance to a network device group en there choose "Radius (Infoblox)" for the authentication. After deleting the VSA I have restarted the ACS SE. The returned acknowledgment from the ACS still presents a malformed packet. When I uncheck the checkbox of the "RADIUS (Infoblox)" attribute in the group settings, then it shows no malformed packet, but no group information is sent either.

Again I have imported the original accountsAction.csv and restarted the SE, but it still returns malformed packets.

Any other possibilities?

Kind regards,

Richard Gosen

New Member

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Ok,

I have re-imaged the ACS with the recovery DVD and applied the patch 4.2.0.124.15. Next I imported the VSA and rebooted the server. After this I added the Infoblox appliance and could choose the VSA for authentication. Under "interface configuration" I clicked "INfoblox attributes" and checked the group specific info checkbox.

In the group setup you can check the group specific info and add a groupname that is also in the Infoblox appliance. When a user logs into the appliance it gets redirected to the right group.

Everything is working fine. I guess the ACS was a bit messy.

Thank you Halijenn for your great support.

Cisco Employee

Re: Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

Thanks for the update. Good to hear all is working fine now. Cheers.

3217
Views
5
Helpful
10
Replies
CreatePlease to create content