BlueCoat Packet Shaper TACACS Authenticaiton

Aruba Employee

This is a document on configuring BlueCoat PacketShaper for Web authentication against Clearpass For TACACS and Radius. 

 

Environment:

Configuring Web authentication from PacketShaper against Clearpass. This currently works with Clearpass 6.3.x and 6.4.x versions. 

 

Configure Bluecoat for TACACS or Radius authentication and set the authentication method to ASCII or PAP.

 

  • Add PacketShaper as an network device under Configuraitonà Network à Devices with appropriate shared secret
  • From Clearpass import the  Shell.xml file which has 'access' and 'role' attribute amended to the default shell dictionary (Refer Answers section for creating this file).  This shall be imported under Policy ManageràAdministrationà DictionaryàTACACS+ Serviceà Import option.
  • Create a new 'TACACS+ Based Enforcement profile' with 'Shell' service selected and service attribute as "Type-Shell | Name- access | Value- touch". Save the newly created enforcement profile. 
  • Map this created enforcement profile under service enforcement policies. 

​​Below is a sample service configuration: 

 

rtaImage.png

 

rtaImage (1).png

 

 

rtaImage (2).png

 

rtaImage (3).png

Radius Based Service configuration:

For Radius based authentication in Clearpass follow the below steps to create a service. 

  • Add PacketShaper as an network device under Configuraitonà Network à Devices with appropriate shared secret.
  • Enable 'Packetter | Vendor ID- 2334' under Administrationà Dictionaries à Radius. 
  • Create a new Enforcement Policies with "Type- RadiusSmiley Tongueacketeer | Name- Packeteer-AVPair | Value- access=touch"
  • Create a enforcement policies and map the newly created enforcement profile. 

Sample Service screenshot mentioned below: 

rtaImage (4).png

 

rtaImage (5).png

 

rtaImage (7).png

 

Once configured test an authentication from the PacketShaper GUI. 

 

Creating TACACS  Dictionary XML file:

Copy the below content to a notepad and save it as Shell.XML: 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Fri Dec 12 20:02:55 IST 2014" version="6.3"/>
  <TacacsServiceDictionaries>
    <TacacsServiceDictionary dispName="Shell" name="shell">
      <ServiceAttribute dataType="String" dispName="Access control list" name="acl"/>
      <ServiceAttribute dataType="String" dispName="Auto command" name="autocmd"/>
      <ServiceAttribute dataType="String" dispName="Callback line" name="callback-line"/>
      <ServiceAttribute dataType="String" dispName="Callback rotary" name="callback-rotary"/>
      <ServiceAttribute allowedValuesCsv="true,false" dataType="String" dispName="No callback verify" name="nocallback-verify"/>
      <ServiceAttribute dataType="Unsigned32" dispName="Idle time" name="idletime"/>
      <ServiceAttribute dataType="Unsigned32" dispName="Timeout" name="timeout"/>
      <ServiceAttribute dataType="Unsigned32" dispName="Privilege level" name="priv-lvl"/>
      <ServiceAttribute allowedValuesCsv="true,false" dataType="String" dispName="No hangup" name="nohangup"/>
      <ServiceAttribute allowedValuesCsv="true,false" dataType="String" dispName="No escape" name="noescape"/>
      <ServiceAttribute allowedValuesCsv="touch,look" dataType="String" dispName="access" name="access"/>
      <ServiceAttribute dataType="String" dispName="role" name="role"/>
    </TacacsServiceDictionary>
  </TacacsServiceDictionaries>
</TipsContents>
 
If you are unable to login and displayed with password incorrect error, Check Clearpass Access Tracker request. 

For TACACS and Radius, verify whether user got Role as '[User Authenticated]' and correct Profiles is applied (For TACACS under Policies tab and for Radius under Summary tab). 

 

 

Version history
Revision #:
1 of 1
Last update:
‎04-08-2015 07:13 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: