AAA, NAC, Guest Access & BYOD

How to Configure management authentication for ClearPass against AD

by ‎07-17-2014 07:28 AM - edited ‎07-17-2014 07:35 AM

Introduction : This Article explains about-

    i) Authenticating CPPM management users from AD.
    ii) Configuring the services on CPPM for authentication.
    iii) Using TACACS service for authentication.

 

Feature Notes : An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network. CPPM can use AD for authentication and role based authorization to authenticate CPPM management users.

 

Environment : This Knowledge base is written for CPPM 6.x version.

 

Configuration Steps :

The following steps are to be followed.


1: Add Active directory and a Authentication source.
2: Configure the Tacacs service on CPPM to authenticate management users.

Please refer to the detailed steps below.

2a: Login to CPPM as an admin user and browse to Configuration » Services and click " Add new service ". It will open a new window as below.


rtaImage.png


Select the following details:

Type : TACACS + Enforcement
Name : This will be the name of the service.
Description : Add a note to it for user's understanding.
Make sure that Authorization option is checked. This is used for role based authentication.
Add a rule as shown above : it means that any connection with NAD-IP as local host (127.0.0.1) should hit this service
Click Next


2b: In this screen add Active directory as Authentication source and hit "Next"


rtaImage.png



2c: Make sure that Active directory is added as an authentication source under this and hit "Next"


rtaImage.png



2 d: On this page click on " Add new Role Mapping Policy", this will open a new window as below.


rtaImage.png


On this page, we can select Default Role a Read Only Role. Click "Next"


On this window, we will add Roles for authorization.


rtaImage.png

The rule above means : if user is a member of Domain Admin then he will authenticate with a Super Admin Role.

Similarly we can add new rules based on our requirements as below making sure that below option is set.

 

Rules Evaluation Algorithm:

First applicable




rtaImage.png

 

Once all the rules are configured, click on save and the screen comes back to the configuration of service. Select the role which we created now.


rtaImage.png


2e: Now if required, we can add the Enforcement profile.



Select the default profile " [Admin Network Login Policy]" from the drop down.


rtaImage.png

Save the configuration.


Once done, please logout and login with a remote user ( user which exists on AD) and verify.



Verification : Login to CPPM as an AD user.

I used a user  "super-user" which is member of "Domain-Admins" group. As per our configuration, we should get "TACACS Super Admin" role.

After logging in, please navigate to


Monitoring » Live Monitoring » Access Tracker and click the most recent event with user name as " your_user".

In this test condition username = 
super-user

rtaImage.png


Click on Policies to check the Role.


rtaImage.png


 

 

Comments

The problem here is anyone with an AD account will be created read-only access. How do you create a default enforcement profile for TACACS that reject access? 

Hi Ben,

 

In the above(article) Role Mapping policy, the default role is set to [TACACS Read-only Admin], that is why anyone with AD account is able to get read-only access.

 

 

Please change the default role to any other roles like [Guest] or [Other] in your Role Mapping Policy, which will reject access to unauthorized AD accounts.

 

Role.png

Well thanks, It works. But a shame this is not intuitive and inconsistent with the enforcement profiles system.

Hi Ben,

As per the Service, the enforcement profiles will be applied based on the given role. Policy Manager assigns roles to user/client  as per the role mapping  policy and then based on the matching role we apply the enforcement profiles.

Policy Manager evaluates the conditions in the role mapping to assign the roles. Users/clients not meeting the conditions will be assigned with  the detault role. In the origuinal article the default role is [TACACSS Read-only Admin]. and the Enforcement Policy is set to assign "Read-only Administrator" Privilege to any user gets the role [TACACSS Read-only Admin].

In the above comment, you were requested to change the default role in the rolemapping to [Guest], so that the users not meening the conditions derived in the role mapping will get [Guest] role and when it goes to the enforcement policies evaluation the [Guest] role won't match any of the conditions and end up getting the default enforcemnt profile [TACACS Deny Profile], which rejects the access/authentication request.

Below are the default admin privileges, available in the CPPM.

Navigation : Administration >> Users and Privileges >> Admin Privileges.

privilege.png

 

Please follow the below steps, if you wish to create your own enforcement Policy/Profiles.

Step:1Creating Enforcement profiles.

Go to Configuration >> Enforcement >> Profiles >> Add >> Template >> TACACS+ Based Enforcement and create the enforcement profiles with required provileges as shown below.

Ex:

Prolfie Name: Super Administrator

Super Administrator..png

 

Profile Name: Helpdesk

Helpdesk.png

 

 

Step 2: Creating Enforcement Policies.

Go to Configuiration >> Enforcement >> Policies >> Add >> Set the Enforcement Type to TACACS+ and Set the Default Role to [TACACS Deny Profile] . Derive the rules as per you requirement and map the Enforcement profiles.

Ex-1:

EnfPolicy.png

 

Ex-2: If you wish to skip the Role Mapping, you could derive the enforcement policy as shown below and just map it to the service (role mapping is not required).

 

Enfpolicy1.png

Ah, that's how I expected it to work. I looked for the 'TACACS Deny Profile' on my system but did not find it. It may have been inadvertently deleted.

prasad405@gmail.com

Hi Saravanan,

 

What will happen if the AD server is unreachable, will we be able to login the CPPM using default username and password? 

 

Thank you. 

 

Guru Elite Guru Elite

Yes, that account will work at any time.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.