I have an issue with Cisco ACS and an Infoblox appliance. We want to authenticate users, that login on the Infoblox, via the Cisco ACS. After that the ACS should reply with a passed (RADIUS) authentication and reply with an administrative groupname that the user belongs on the Infoblox. To do this I have to import a VSA to have the option in the ACS to reply with this groupname. On the Infoblox these groups are allready made and this must match the group that the ACS replies.
Now I have imported the VSA and configured an AAA client (infoblox) to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting I've turned on the Infoblox-Group_info attribute and filled in a specific groupname that the authenticated user belongs to. Now here comes the part where the group info is returned, but the Infoblox Appliance gives me a RADIUS error reply message. As I can see in the logs of the ACS the authentication part of the user is fine. So it has to be between the info that the ACS replies with, when the user logs in.
I've attach the VSA and a *.pcap of wireshark to see what's going on.
Can anyone advice of suggest any option that can make this thing work.
Solved! Go to Solution.
Seems to be matching this bugID: CSCsv65072:
Which version are you running?
For 18.104.22.168, patch 8 or later has the fix.
For 22.214.171.124, patch 13 or later has the fix.
Hope that helps.
Thank you for your reply.
The version of ACS is 126.96.36.199 so it make sense why this is not working.
Where can I apply for this patch?
You can download the patch from here:
Thanks for your info.
I've applied the patch 188.8.131.52.15, but the ACS still sends a malformed packet back to the Infoblox when a user tries to login.
The ACS is rebooted and the VSA is re-enabled with the specific group info.
Am I missing something here?
Should I make a *.csv to delete all the records that the imported VSA.csv, as mentioned previously, has created?
This Cisco ACS is not my core knowledge
Maybe you can confirm that I must use action code 161 to delete this VSA. I didn't see any option to delete it in the Solution Engine.
Can you put me in a right direction?
Unfortunatly the above solution doesn't do the trick. When I delete the imported VSA, via the attached *.csv, the Infoblox attributes still shows up when I re-add the Infoblox appliance to a network device group en there choose "Radius (Infoblox)" for the authentication. After deleting the VSA I have restarted the ACS SE. The returned acknowledgment from the ACS still presents a malformed packet. When I uncheck the checkbox of the "RADIUS (Infoblox)" attribute in the group settings, then it shows no malformed packet, but no group information is sent either.
Again I have imported the original accountsAction.csv and restarted the SE, but it still returns malformed packets.
Any other possibilities?
I have re-imaged the ACS with the recovery DVD and applied the patch 184.108.40.206.15. Next I imported the VSA and rebooted the server. After this I added the Infoblox appliance and could choose the VSA for authentication. Under "interface configuration" I clicked "INfoblox attributes" and checked the group specific info checkbox.
In the group setup you can check the group specific info and add a groupname that is also in the Infoblox appliance. When a user logs into the appliance it gets redirected to the right group.
Everything is working fine. I guess the ACS was a bit messy.
Thank you Halijenn for your great support.