AAA, NAC, Guest Access & BYOD

How to authenticate Riverbed admin users against ClearPass over TACACS

by on ‎08-07-2014 07:07 AM

This article explains how to authenticate and assign admin privileges to Riverbed mgmt/admin users.

 

River Bed Configuration:

Step:1 Login to Riverbed and navigate to Configure > Security > TACACS+ and add ClearPass as TACACS Server.

 

 

rtaImage.png

 

Step:2 Go to Configure > Security > General Security Settings and set the Authentication Methods to "TACACS+; Local" and set the Authorization Policy to "Remote Only".

 

rtaImage (1).png

ClearPass Configuration:

Please find below the TACACS Dictionary to configure the Enforcement profile.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Mon Jul 21 13:45:36 CDT 2014" version="6.3"/>
  <TacacsServiceDictionaries>
    <TacacsServiceDictionary dispName="Riverbed" name="rbt-exec:unknown">
      <ServiceAttribute dataType="String" dispName="local-user-name" name="local-user-name"/>
    </TacacsServiceDictionary>
  </TacacsServiceDictionaries>
</TipsContents>

STEP:1 Copy and paste the above content on a notepad and Save it as .xml file. Login to ClearPass Policy Manager and go to Administration > Dictionaries > TACACS  Services and Import the file.

STEP:2 Add the Riverbed hostname/Ip address as Network Device in ClearPass under Configuration > Network > Devices.(Use same Shared Secret Key on both Riverbed and CPPM)

STEP:3 Create a TACACS+ based Enforcement profile as shown below to return the admin Privilege to Riverbed.

Note: admin and monitor are the 2 default privileges in Reverbed.

rtaImage (2).png

Step: 4 Create a TACACS Service and map the above Profile in the Enforcement Policy to authenticate and authorize the users.

rtaImage (3).png

In the xml file you would notice the TacacsServiceDictionary name as "rbt-exec:unknown". This is what we get as Service/Protocol in TACACS Authorization Query from Riverbed during authentication.

Find the below pcap output for your reference.

rtaImage (4).png

And the below output confirms the Auth Success and Privilege/Role being returned to Riverbed.

rtaImage (5).png

 

 

Comments
crescentwire
This is a great guide, but I'm wondering if the steps change at all if you use the role of "monitor" instead of "admin"? For example, if you wanted to provide read-only access to an end-user, you would not want to use the "admin" role. You'd want to use "monitor" instead. I have not been able to get this to work (I receive an error message within CPPM, stating, "Tacacs service=rbt-exec:unknown not enabled." Have you tried this at all, and if so, what success have you had?
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.