AAA, NAC, Guest Access & BYOD

How to perform management authentication of Cisco Switch against Clearpass

Introduction - Clearpass can act as a TACACS server and perform management authentication for Cisco switches by returning the privilege levels configured on the switch.


Environment - Tested with Clearpass versions 6.1.x to 6.4.4


Configuration Steps - Before we attempt to create a service, we shall proceed to create the different enforcement profiles required for different types of devices. Enforcement profile is the attributes which are sent down to the device to which a user is trying to access. These attributes would determine the level of access provided to the end user. For example, we could give a user read-only privileges to the Aruba controller while giving full admin access to another user.
To Create an enforcement profile, first navigate to Configuration > Enforcement > Profiles > Click on “Add Enforcement Profile”
From the enforcement profile wizard, select “TACACS+ Enforcement” as the Template



In the services tab, select the Privilege level to return to the switch. Next select the service which will be used to provide access. Here for Cisco switch we use the shell service to gain access to the shell:



From the Service Attributes section, select Shell as the attribute type, priv-lvl as the attribute name and enter the desired value. Here we use 15 for admin privilege and 1 for read only privileges.



In the Commands tab, select the checkbox “Enable to permit unmatched commands” if you want to allow the user to execute any commands




If you wish to specify what commands the user can execute, then uncheck the check box mentioned above and list the commands as shown below:


Now create another enforcement profile for read-only users as shown in the screen shots below. The privilege level in this case would be 1


Navigate to Configuration > Services > Click on “Add Service”
In the Services Configuration Wizard that comes up, select TACACS+ Enforcement as the Type


Select appropriate authentication sources sources (Local User Repository, Active Directory, Generic LDAP etc.)


Now under the Enforcement tab, we can either use the default enforcement policy or we can add a custom enforcement policy to leverage AD group membership:

Click on Add new Enforcement Policy



In the rules tab, we add the conditions to provide access:


And a similar one for read only access:



Now we have our set of rules which define access:


Cisco switch configuration commands for TACACS authentication:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable

Commands used for authorization against TACACS server:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated

Commands used to enable TACACS Accounting to the TACACS server:

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+


Version History
Revision #:
1 of 1
Last update:
‎04-07-2015 10:02 AM
Updated by:
Labels (1)

thank you, very useful. and it works


I am struggling to use radius as devices administration protocol.

Guru Elite Guru Elite
Why not use TACACS instead? It's much more robust and was designed for management AAA.

HI, thank you for your reply. I am also suggesting tacacs+ to my boss, the reason I need radius is that we have multiple venders for our network infrastructure. So for different devices, they think radius might be more compatible. and also I have already made tacacs working very well.


I am using cisco to test radius now 


for the radius from access tracker, radius is accept my login request,but from cisco switch

User rejected

debug radius authenticatin , I got error :

Oct 19 10:32:54.206 EDT: RADIUS/DECODE(00000000): There is no Gen
ciscotest#eral DB. Reply server details may not be recorded
Oct 19 10:32:54.206 EDT: RADIUS(00000000): Received from id 1645/4
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: parse VSA parts error
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: convert VSA string; FAIL
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: cisco VSA type 1; FAIL
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: VSA; FAIL
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: decoder; FAIL
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: attribute Vendor-Specific; FAIL
Oct 19 10:32:54.206
ciscotest#EDT: RADIUS/DECODE: parse response op decode; FAIL


thank you


Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.