AAA, NAC, Guest Access & BYOD

How to perform management authentication of Cisco Switch against Clearpass

Aruba Employee

Introduction - Clearpass can act as a TACACS server and perform management authentication for Cisco switches by returning the privilege levels configured on the switch.

 

Environment - Tested with Clearpass versions 6.1.x to 6.4.4

 

Configuration Steps - Before we attempt to create a service, we shall proceed to create the different enforcement profiles required for different types of devices. Enforcement profile is the attributes which are sent down to the device to which a user is trying to access. These attributes would determine the level of access provided to the end user. For example, we could give a user read-only privileges to the Aruba controller while giving full admin access to another user.
To Create an enforcement profile, first navigate to Configuration > Enforcement > Profiles > Click on “Add Enforcement Profile”
From the enforcement profile wizard, select “TACACS+ Enforcement” as the Template

v1.jpg

 

In the services tab, select the Privilege level to return to the switch. Next select the service which will be used to provide access. Here for Cisco switch we use the shell service to gain access to the shell:

v2.jpg

 

From the Service Attributes section, select Shell as the attribute type, priv-lvl as the attribute name and enter the desired value. Here we use 15 for admin privilege and 1 for read only privileges.

v3.jpg

 

In the Commands tab, select the checkbox “Enable to permit unmatched commands” if you want to allow the user to execute any commands

 

v4.jpg

 

If you wish to specify what commands the user can execute, then uncheck the check box mentioned above and list the commands as shown below:

v5.jpg

Now create another enforcement profile for read-only users as shown in the screen shots below. The privilege level in this case would be 1

v6.jpgv7.jpgv8.jpg

Navigate to Configuration > Services > Click on “Add Service”
In the Services Configuration Wizard that comes up, select TACACS+ Enforcement as the Type

p1.jpg

Select appropriate authentication sources sources (Local User Repository, Active Directory, Generic LDAP etc.)

p2.jpg

Now under the Enforcement tab, we can either use the default enforcement policy or we can add a custom enforcement policy to leverage AD group membership:

Click on Add new Enforcement Policy

 

p3.jpg

In the rules tab, we add the conditions to provide access:

p4.jpg

And a similar one for read only access:

p5.jpg

 

Now we have our set of rules which define access:

p7.jpg

Cisco switch configuration commands for TACACS authentication:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable

Commands used for authorization against TACACS server:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated

Commands used to enable TACACS Accounting to the TACACS server:

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

 

Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 10:02 AM
Updated by:
 
Labels (1)
Contributors
Comments
shanshanlan

thank you, very useful. and it works

 

I am struggling to use radius as devices administration protocol.

Why not use TACACS instead? It's much more robust and was designed for management AAA.
shanshanlan

HI, thank you for your reply. I am also suggesting tacacs+ to my boss, the reason I need radius is that we have multiple venders for our network infrastructure. So for different devices, they think radius might be more compatible. and also I have already made tacacs working very well.

 

I am using cisco to test radius now 

 

for the radius from access tracker, radius is accept my login request,but from cisco switch

User rejected

debug radius authenticatin , I got error :

Oct 19 10:32:54.206 EDT: RADIUS/DECODE(00000000): There is no Gen
ciscotest#eral DB. Reply server details may not be recorded
Oct 19 10:32:54.206 EDT: RADIUS(00000000): Received from id 1645/4
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: parse VSA parts error
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: convert VSA string; FAIL
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: cisco VSA type 1; FAIL
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: VSA; FAIL
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: decoder; FAIL
Oct 19 10:32:54.206 EDT: RADIUS/DECODE: attribute Vendor-Specific; FAIL
Oct 19 10:32:54.206
ciscotest#EDT: RADIUS/DECODE: parse response op decode; FAIL

 

thank you

 

ccalhoun

You note that the Priv 1 authorization commands do not revert to local. Should local be included?

 

aaa authorization exec default group tacacs+ local if-authenticated
>aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated

to:

aaa authorization commands 1 default group tacacs+ local if-authenticated

 

Thanks,

Chris

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.