ArubaOS and Controllers

Reply
Occasional Contributor II

Using TACACS for enable password

I am unable to get the enable password to work via Cisco ACS and my Aruba controllers. I have to use the default enable password to gain access. I have aaa enable user access enabled in Cisco ACS groups and it works on all of our routers but not on our controllers.
Guru Elite

Not Supported




This is not supported, currently.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: Using TACACS for enable password

If you can have ACS send back the 'Aruba-Priv-Admin-User' variable with a value of "1", this will bypass needing to enter the enable secret and put you right into enable mode. This is what I do with steel-belted radius.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Occasional Contributor II

Re: Using TACACS for enable password

Hi Ryan,

Does this need special code version on the controller? We don't see the controllers doing an authorization request, only authentication, and the attributes only get sent on authorization.


Thanks,
Eva
Guru Elite

Aruba-Priv-Admin-User

Meesick,

Ryan is correct. This attribute is sent upon Authentication. If present, it will put the user in enable mode automatically.

Other Aruba attributes that can be sent during authentication are:

Aruba-Admin-Role - Will automatically place the management user in this role (root, guest provisioning, read-only, etc)
Aruba-User-Role - Will automatically place the authenticated user in the role returned
Aruba-User-Vlan - Will automatically place the authenticated user in the vlan returned


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Using TACACS for enable password


Meesick,

Ryan is correct. This attribute is sent upon Authentication. If present, it will put the user in enable mode automatically.

Other Aruba attributes that can be sent during authentication are:

Aruba-Admin-Role - Will automatically place the management user in this role (root, guest provisioning, read-only, etc)
Aruba-User-Role - Will automatically place the authenticated user in the role returned
Aruba-User-Vlan - Will automatically place the authenticated user in the vlan returned




Is this for TACACS+ or RADIUS? I did try it out but it didn't work.
Occasional Contributor II

Different services?

We are sending that attribute under service exec. Are there different service?
Guru Elite

Only Radius




I apologize. It only works for radius.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Using TACACS for enable password

We use Cisco ACS authenticating TACACS+ on our controllers for admins. (version 3.x from the last century)

We set the ACS for TACACS+ (Cisco IOS) and insure to put in the controller ip addresses in the list. (You may need to use the interface or loopback depending on config. Or set them both. What the heck!)

Make sure your keys match.

On the controller we added (/security/authentication/servers/TACACS Server/ in GUI) a server called tacacs. Insert the appropriate info taking care to get the ports, key, and IP correct.

Apply, save.

On the /security/authentication/servers/server groups/ create a group "TACACS-Server" (you can change the name) and add the TACAC server. If you have more than one, give yourself a pat on the back and add it also.

Apply, save, etc.

On the /Management/Administration page, select "TACACS-Server" group from the drop down under "Management Authentication Servers" Select the server group you created above.

You may also need:

Allow Local Authentication checked ON
Default Role "ROOT"

Works for SSH and GUI logins.

You'll need to determine the use of fqdn.
If this works, send $20 taped to a 1972 Camero to:




;)

Cisco ACS - Tacacs+ - Enable Password limitations

Team -

Im a little confused with this chain - can someone please confirm if there is a way to use a Cisco ACS server for TACACs+ management/login of the controllers AND have the user placed directly into enable mode without having to type the local (controller) ENABLE password

Thanks
Ck
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: