Network Management

is there any document or guide regarding how configure clearpass for cisco ASA device login and management. whatever using Tacacs or Radius ? I need use clearpass instead of ACS for device administration.

but alway got error like below:

Tacacs packet sent
Sending TACACS Start message. Session id: 17, seq no:1
Received TACACS packet. Session id:259580088 seq no:2
tacp_procpkt_authen: GETPASS
mk_pkt - type: 0x1, session_id: 17
mkpkt_continue - response: ***
Tacacs packet sent
Sending TACACS Continue message. Session id: 17, seq no:3
Received TACACS packet. Session id:259580088 seq no:4
tacp_procpkt_authen: FAIL
TACACS Session finished. Session id: 17, seq no: 3
ERROR: Authentication Rejected: Unspecified

Hello, have you been able to complete your ASA/CPPM configuration? If so can you shed some light as I'm currently trying to use CCPM as the Radius for Cisco Anyconnect VPN user auth.

I can't seem to get the service rule setup correctly on CPPM as I keep getting authentication failures.

Regards

@croweheadz check your other post which you have placed on the Forum. I have given some suggestions.

You can use TACACS+

Usually, i suppose, you want to have two groups of Admin/Monitoring types of enforcement.

So i will give instructions based on that assumption that there will be:

- User who has Read/Write capabilities (privilege level 15)

- User who has Read only capabilities (privilege level 1)

First, Create two roles by going to Configuration > Identity > Roles

Role 1: TACACS_Admin_Role

Role 2: TACACS_Monitoring_Role

Then, go to Configuration > Identity > Role Mapping and create
Role Mapping 1: TACACS_Admin_RoleMap
Role Mapping 2: TACACS_Monitoring_RoleMap

Then go to Configuration > Enforcement > Profiles

Create two profiles with the following:

1. TACACS_Admin_Profile and on the service select privilege level 15, on the Selected Services select Shell and on the Custom service, make sure you have:
Type: Shell
Name: priv-lvl
Value: 15

Also, make sure you have under the commands tab, Service Type: Shell and also Unmatched Commands enabled (tick)

2. TACACS_Monitoring_Profile

and on the service select privilege level 1, on the Selected Services select Shell and on the Custom service, make sure you have:
Type: Shell
Name: priv-lvl
Value: 1

Also, make sure you have under the commands tab, Service Type: Shell and also Unmatched Commands enabled (tick)

After you create the Enforcement, go to Configuration > Enforcement > Policies.

Create a Policy TACACS_Enforcement_Policy and under rules apply the rules you desire, with the enforcement profiles created.

For the service, i would suggest the following:

Add the devices as a Group. So first, go to Configuration > Network > Devices. Add the devices (ASA-FW) here with correct Key for TACACS+.

Under vendor name select: CISCO (no do not select CISCO-ASA, it didnt work for me).

Then Create a Device group under Network > Device Groups, where you place the devices you want to have access to example: TACACS_Devices

After that, create the service for TACACS+ and on the Service Rule configure:
Type: Connection
Name: NAD-IP-Address
Operator: Belongs_to_Group
Value: TACACS_Devices.

Sorry for making it so long on the post, but i hope this will help.

If you have any issues, contact me.

Hi,

Did you solve the issue?