Integrate ClearPass with Big Switch Cloud Controller for TACACS.
While integrating ClearPass with Big Switch Network Devices for TACACS authentication/authorization, we may not be able to login to Big Switch Network Devices with the following error in ClearPass Server.
This is because by default, ClearPass Policy Manager does not contain the TACACS dictionary for Big Switch Network Devices. To successfully integrate, we need to import the attached Big Switch Networks dictionary and use it in the TACACS enforcement.
After authentication, the user is assigned to a Role-Based Access Control (RBAC) group, such as admin or read-only. The predefined admin group provides full access to configure the fabric and read information about the state of the network. The pre-defined read-only group prevents the user from modifying any configuration or executing any tasks that change the operational state of the system, such as upgrade or reboot. Association of users with groups is either stored locally, passed by a TACACS+ server via attribute-value pairs, or by a RADIUS server via a Vendor Specific Attribute (VSA). The BSN-UserRole attribute should be configured on the TACACS+ server. The value is the name of the RBAC group to which the user belongs.
Follow the below steps to import the TACACS+ dictionary in ClearPass.
1. Login to ClearPass Policy Manager with Super Administrator Privilege.
2. Navigate to Administration --> Dictionaries --> TACACS+ Services.
3. Import the attached TACACS+ dictionary.
4. Configure enforcement profile with different BSN-userrole as shown below and use it in the enforcement policy.
As shown in the enforcement profile configuration, when ClearPass enforces BSN-UserRole with value admin or read-only for BIG switch Network Devices, you would be able to login successfully.
Example access tracker screenshot: