Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ACS 5.3 tacacs with Controller

This thread has been viewed 1 times

  • 1.  ACS 5.3 tacacs with Controller

    Posted Apr 19, 2014 01:09 AM

    Hi 

    I am trying to integrate ACS 5.3 with Aruba Controller for managment authentication using Tacacs protocol.

    On controller I have created Tacacs server entry added it to server group. Server group is applied to mgmt authentication. This server group has internal server as first option and acs as second with fail through enabled. I can successfully test from controller AAA test server with PAP but with mschap its failing. Also for mgmt auth  SSH/ GUI I am not able to use tacacs - acs based login.any config missing ... 



  • 2.  RE: ACS 5.3 tacacs with Controller

    EMPLOYEE
    Posted Apr 19, 2014 06:38 AM

    What is the error message on the ACS?

     



  • 3.  RE: ACS 5.3 tacacs with Controller

    Posted Apr 19, 2014 07:03 AM
    I could see log for successful tacacs auth which happens when I try from AAA test server with PAP. No log for tacacs when request done while logging into controller or AAA test server With Mschap


  • 4.  RE: ACS 5.3 tacacs with Controller

    EMPLOYEE
    Posted Apr 19, 2014 07:07 AM
    Post a screenshot of your management server setup with the tacacs server.


  • 5.  RE: ACS 5.3 tacacs with Controller

    Posted Apr 19, 2014 07:29 AM
    Hi Colin

    Sorry but currently I don't have access to controller hence can't share the screenshot.
    The config is like this
    1. Created a Tacacs server , provided IP and shared secret. All other default. Authorization enabled.
    2. Created a server group which has first entry as internal server and second as above mentioned tacacs server. But there is no server derived rule.
    3. In Management authentication I have selected new server group. There is one option for mschap for radius but I believe that is unchecked.

    - Harshad


  • 6.  RE: ACS 5.3 tacacs with Controller

    EMPLOYEE
    Posted Apr 19, 2014 07:38 AM

    In the  "Management Authentication Servers box", there is a checkbox called "Enable".  Make sure that is checked so that it uses the server group you created and listed in the box, otherwise it will not send management authentications to it.  You do not need to put the internal database in the server group.  The internal database is separate from the management users that are configured locally on the box.  Local Management users are limited to 10.  Adding the Internal Database to the Management authentication server group allows you to authenticate management users from the Configuration> Security> Authentication> Localdb list and get around the 10 user limitation.  It unfortunately allows any guest users that are configured in there to log into the controller, so DO NOT add the internal database to the Management Authentication Servers server group.



  • 7.  RE: ACS 5.3 tacacs with Controller

    Posted Apr 19, 2014 07:59 AM
    Hi Colin

    Thanks for the detailed information.
    Yes the 'management auth server box ' is enabled.

    Will Controller send the requests using mschap? When i check from AAA test server with PAP its working I think there should be some option to select auth methods on ACS side..similar to CPPM policies..


  • 8.  RE: ACS 5.3 tacacs with Controller

    EMPLOYEE
    Posted Apr 19, 2014 08:04 AM
    I have never used mschap with management authentication or tactics.


  • 9.  RE: ACS 5.3 tacacs with Controller

    Posted Dec 09, 2014 08:38 AM

    Is there a guide on how to configure the Aruba controller with ACS nad vice versa?