03-29-2010 03:13 AM - edited 03-10-2019 05:02 PM
I have an issue with Cisco ACS and an Infoblox appliance. We want to authenticate users, that login on the Infoblox, via the Cisco ACS. After that the ACS should reply with a passed (RADIUS) authentication and reply with an administrative groupname that the user belongs on the Infoblox. To do this I have to import a VSA to have the option in the ACS to reply with this groupname. On the Infoblox these groups are allready made and this must match the group that the ACS replies.
Now I have imported the VSA and configured an AAA client (infoblox) to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting I've turned on the Infoblox-Group_info attribute and filled in a specific groupname that the authenticated user belongs to. Now here comes the part where the group info is returned, but the Infoblox Appliance gives me a RADIUS error reply message. As I can see in the logs of the ACS the authentication part of the user is fine. So it has to be between the info that the ACS replies with, when the user logs in.
I've attach the VSA and a *.pcap of wireshark to see what's going on.
Can anyone advice of suggest any option that can make this thing work.
Solved! Go to Solution.
04-01-2010 01:21 AM
Please find attached accountsActions to delete it, and you can use your original accountsActions to readd the VSA.
Hope that works.
03-29-2010 04:02 AM
Seems to be matching this bugID: CSCsv65072:
Which version are you running?
For 126.96.36.199, patch 8 or later has the fix.
For 188.8.131.52, patch 13 or later has the fix.
Hope that helps.
03-29-2010 07:30 AM
Thank you for your reply.
The version of ACS is 184.108.40.206 so it make sense why this is not working.
Where can I apply for this patch?
03-29-2010 02:22 PM
03-30-2010 11:02 PM
Thanks for your info.
I've applied the patch 220.127.116.11.15, but the ACS still sends a malformed packet back to the Infoblox when a user tries to login.
The ACS is rebooted and the VSA is re-enabled with the specific group info.
Am I missing something here?
03-31-2010 04:55 AM
Please remove the VSA, and re-add it. It should work after you re-add it.
03-31-2010 07:52 AM
Should I make a *.csv to delete all the records that the imported VSA.csv, as mentioned previously, has created?
This Cisco ACS is not my core knowledge
Maybe you can confirm that I must use action code 161 to delete this VSA. I didn't see any option to delete it in the Solution Engine.
Can you put me in a right direction?
04-01-2010 01:21 AM
04-08-2010 07:25 AM
Unfortunatly the above solution doesn't do the trick. When I delete the imported VSA, via the attached *.csv, the Infoblox attributes still shows up when I re-add the Infoblox appliance to a network device group en there choose "Radius (Infoblox)" for the authentication. After deleting the VSA I have restarted the ACS SE. The returned acknowledgment from the ACS still presents a malformed packet. When I uncheck the checkbox of the "RADIUS (Infoblox)" attribute in the group settings, then it shows no malformed packet, but no group information is sent either.
Again I have imported the original accountsAction.csv and restarted the SE, but it still returns malformed packets.
Any other possibilities?
04-30-2010 12:19 AM
I have re-imaged the ACS with the recovery DVD and applied the patch 18.104.22.168.15. Next I imported the VSA and rebooted the server. After this I added the Infoblox appliance and could choose the VSA for authentication. Under "interface configuration" I clicked "INfoblox attributes" and checked the group specific info checkbox.
In the group setup you can check the group specific info and add a groupname that is also in the Infoblox appliance. When a user logs into the appliance it gets redirected to the right group.
Everything is working fine. I guess the ACS was a bit messy.
Thank you Halijenn for your great support.
04-30-2010 06:43 AM
Thanks for the update. Good to hear all is working fine now. Cheers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: