Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Network Change & Configuration Management

Reply
Highlighted
Accepted Solution

Active Directory Authentication

[ Edited ]
Techie
Posts: 9
14777     0

Hi Community,

 

i hope this notes finds you well.

is it possible to configure AD Authentication with specific AD-Group ?

So i just setup the authentication as below :

XYZ - AD Auth.PNG

 

i can reach all the server and it works well, but my concern is "ALL  USER" will be able to login to my Appliance. My goal is "ONLY SPECIFIC USER" that should be able to login to my Appliance. Should i setup on the AD side or Infoblox side?

 

Best Regards,

Ramadian

Highlighted

Re: Active Directory Authentication

Expert
Posts: 81
14778     0

Hello RSusetyo,

 

Not all users will have access just because your appliance has been configured to permit authentication source from AD.

 

You must create a group in Active Directory, create a group with the SAME NAME in Infoblox and configure permissions on the Infoblox group. Also, you must edit your Authentication Policy to reflect the "Active Directory Service".

 

Infoblox will try to match the user group in the Active Directory and the group registered in local base during the login process. If they match, infoblox will assign proper permissions based on your "Roles and Permissions" config and user will have its access granted or denied.

 

I have an article expaining the configuration steps. Please use the translate tool from google (content in Portuguese, but images are in english)

http://www.agilitynetworks.com.br/blogdaagility/configuracao-de-autenticacao-externa-no-infoblox-gri...

 

This will do the job done.

Please let me know if this information helps you.

 

Rgds,

Paulo Costa

Highlighted

Re: Active Directory Authentication

[ Edited ]
Techie
Posts: 9
14778     0

Dear Paulo,

 

Thanks for your help and it works properly Smiley Very Happy

So basically i need to define a Group, and assign the specific user as memberOF that group.

 

 

Best Regards,

Ramadian 

Highlighted

Re: Active Directory Authentication

Techie
Posts: 1
14778     0

Hello,

 

Is this arcticle or document still available?

Current URL link is saying that page not available.

 

Regards Markku

Highlighted

Re: Active Directory Authentication

Moderator
Moderator
Posts: 62
14778     0

See the 7.1 Admin Guide, page 97, Authenticating Users using AD, if you haven't already.

 

Dave

@DaveSignori
Highlighted

Re: Active Directory Authentication

Expert
Posts: 81
14778     0

Hello,

 

We are facing a problem with our hosting provider that is causing the website unavailability. As soon as they fix it I'll be more than happy to inform you.

 

Have you succeeded to perform the configuration using the admin guide information? How can we help you?

 

Best Regards,

Paulo

Highlighted

Re: Active Directory Authentication

Expert
Posts: 81
14778     0

Hello,

 

URL is available again at: http://www.blogagilitynetworks.com.br/blogdaagility/configuracao-de-autenticacao-externa-no-infoblox...

 

Please use Google Translate, content still written in portuguese.

 

Regards,

Paulo

Highlighted

Re: Active Directory Authentication

Techie
Posts: 1
14778     0

We have a very large ACE for the AD auth.  We recently noticed during an update of the ACE that the DNS service stopped accepting queries on the grid master canidate.  The grid master did not have this behavior.

The outage was 45 seconds.  Our theory is that the ACE is recompiled on any update and since it is so large it caused a major CPU exaustion...but it doesn't explain why the grid master did not report a DNS outage.

 

The DNS outage was detected by two seperate F5 pairs in different locations via their health monitor.

 

I have a few questions...

 

Why did the canidate have an outage, but the master did not...they are both 4010's and the master does not run DHCP services, but the canidate does DNS in addition to DHCP in an HA pairing with an 820...is their a "lockout" on a DHCP member on a ACE update that isn't present on a memeber just running DNS?

I can't understand why the master 4010 didn't have any DNS outage, but the canidate 4010 did unless there is something to do with DHCP as this is the only difference in services between the master and canidate.

 

If you have a large number of hosts, is using a named ACL with the IP addresses of the hosts better than using single ACE entries...ie. does one cost more in terms of processing than the other when the number of entries reaches a large number.

 

Last...wildcard masking...we could wildcard mask to match on the ~700 entries as it is a cookie cutter IP scheme...there looks like there is only standard netmasking in the ACE/ACL for Infoblox...if they implimented wildcard masking we could literally go from ~700 entries to less than 20...and hence any lockout due to rebuilding would become a non issue...

 

Any insight or recommendations would be great...Thanks!

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You