04-20-2016 03:30 PM
Dear Community User.
Please find attached simple and basic guide how to configure TACACS+ on Cisco ACS with our Infoblox NIOS.
Lab prepared on ACS 5.4.0.x and NIOS 7.3.4
With any comments or errors found please contact me directly :-)
05-05-2017 07:50 AM
Hello, very nice PDF. We just set up ACS to support Infoblox and it works good, with one exception.
In ACS, under each TACACS ID profile there is an option to enable CHANGE PASSWORD AT NEXT LOGIN .
This is the force password change feature in ACs and after an id is created or the user password reset, ACs will make them create a NEW password next time they try to log into a device. We enable this option across all accounts using CISCO ACS where the TACACS id's and passwords are stored in the local ACS database. Now, for the ID's which we set up to access INFOBLOX, if we enable the CHANGE PASSWORD AT NEXT LOGIN feature, it does not work. The user logging into the CLI of the INFOBLOX gets access denied anytime they try. The ACS logs show invalid password or shared secret. Turning it off allows the user in ok.
Have you done any testing with ACS forcing a password change with this option selected? Security requirements call for all users to change password after a new password is assigned after a reset or a new id creation. We are not pointing LDAP or AD. Are id's passwords authenticate against internal ACS Database. Acs is version 5.8
Maybe Infoblox does not support enforcement of the required password change?
Appreciate any info you might have