05-17-2016 01:45 AM - edited 05-17-2016 01:49 AM
i hope this notes finds you well.
is it possible to configure AD Authentication with specific AD-Group ?
So i just setup the authentication as below :
i can reach all the server and it works well, but my concern is "ALL USER" will be able to login to my Appliance. My goal is "ONLY SPECIFIC USER" that should be able to login to my Appliance. Should i setup on the AD side or Infoblox side?
Solved! Go to Solution.
05-17-2016 10:06 AM
Not all users will have access just because your appliance has been configured to permit authentication source from AD.
You must create a group in Active Directory, create a group with the SAME NAME in Infoblox and configure permissions on the Infoblox group. Also, you must edit your Authentication Policy to reflect the "Active Directory Service".
Infoblox will try to match the user group in the Active Directory and the group registered in local base during the login process. If they match, infoblox will assign proper permissions based on your "Roles and Permissions" config and user will have its access granted or denied.
I have an article expaining the configuration steps. Please use the translate tool from google (content in Portuguese, but images are in english)
This will do the job done.
Please let me know if this information helps you.
05-18-2016 12:53 AM - edited 05-19-2016 05:42 AM
Thanks for your help and it works properly
So basically i need to define a Group, and assign the specific user as memberOF that group.
12-30-2016 12:01 AM
Is this arcticle or document still available?
Current URL link is saying that page not available.
01-03-2017 04:00 PM
We are facing a problem with our hosting provider that is causing the website unavailability. As soon as they fix it I'll be more than happy to inform you.
Have you succeeded to perform the configuration using the admin guide information? How can we help you?
01-04-2017 05:08 AM
URL is available again at: http://www.blogagilitynetworks.com.br/blogdaagility/configuracao-de-autenticacao-externa-no-infoblox...
Please use Google Translate, content still written in portuguese.
04-29-2017 05:33 AM
We have a very large ACE for the AD auth. We recently noticed during an update of the ACE that the DNS service stopped accepting queries on the grid master canidate. The grid master did not have this behavior.
The outage was 45 seconds. Our theory is that the ACE is recompiled on any update and since it is so large it caused a major CPU exaustion...but it doesn't explain why the grid master did not report a DNS outage.
The DNS outage was detected by two seperate F5 pairs in different locations via their health monitor.
I have a few questions...
Why did the canidate have an outage, but the master did not...they are both 4010's and the master does not run DHCP services, but the canidate does DNS in addition to DHCP in an HA pairing with an 820...is their a "lockout" on a DHCP member on a ACE update that isn't present on a memeber just running DNS?
I can't understand why the master 4010 didn't have any DNS outage, but the canidate 4010 did unless there is something to do with DHCP as this is the only difference in services between the master and canidate.
If you have a large number of hosts, is using a named ACL with the IP addresses of the hosts better than using single ACE entries...ie. does one cost more in terms of processing than the other when the number of entries reaches a large number.
Last...wildcard masking...we could wildcard mask to match on the ~700 entries as it is a cookie cutter IP scheme...there looks like there is only standard netmasking in the ACE/ACL for Infoblox...if they implimented wildcard masking we could literally go from ~700 entries to less than 20...and hence any lockout due to rebuilding would become a non issue...
Any insight or recommendations would be great...Thanks!