Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎10-30-2011

ACS replacement with ClearPass

All,

I have a customer that is looking to replace their existing Cisco ACS server and possibly use ClearPass. They are currently tracking every command that an authenticated user submits on their Cisco switches. Is this even possible with ClearPass? Possibly with Insight?

 

Thanks,

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: ACS replacement with ClearPass

[ Edited ]

Yes, ClearPass can do full TACACS+ command logging and authorization.

 

tacacs-command-authz.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: ACS replacement with ClearPass

Yes.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎10-30-2011

Re: ACS replacement with ClearPass

Troy,

hope all is well...

So in order to log all commands that a user enters, we have to first permit what commands we want to allow and then somehow turn on logging on them? We've provided the customer with a PoC CPPM using the canned PoC templates for ACS replacement, but it does not spell out how to do this piece.

 

thanks,

 

Kevin

 

 

Occasional Contributor II
Posts: 11
Registered: ‎10-30-2011

Re: ACS replacement with ClearPass

I see this would allow us to permit/deny specific commands, but how do we log everything the user does on the switch?

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: ACS replacement with ClearPass

You do not have to turn on command authorization to log commands. By default it will log all commands once accounting is turned up.

 

Once you enable TACACS+ accounting, the logs will appear in the Accounting log in CPPM.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: ACS replacement with ClearPass

On a cisco device you need to make sure you have.

 

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ none 

aaa authorization commands 1 default group tacacs+ if-authenticated 

aaa authorization commands 15 default group tacacs+ if-authenticated 

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

 

 

Or you will not get all the commands loged.

 

cmd.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎10-30-2011

Re: ACS replacement with ClearPass

Do we need to do anything in the CPPM enforcement profile to enable accounting? We've added the commands to the switch but see nothing in the CPPM accounting logs.

 

Thanks,

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: ACS replacement with ClearPass

Is TACACS authentication and/or authorization working?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 11
Registered: ‎10-30-2011

Re: ACS replacement with ClearPass

Yes, authentication is working.

Search Airheads
Showing results for 
Search instead for 
Did you mean: