Security

Reply
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

CPPM TACACS

I'm trying to implement TACACS access to our Clearpass device using AD credentials. So far I have got an AUTHEN_STATUS_PASS and a role of [Aruba TACACS Root Admin]. However in the access tracker alerts there is a message "Tacacs server Tacacs service=cpass:http not enabled". What does this message indicate?

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: CPPM TACACS

[ Edited ]

Under Administration > Dictionaries > TACACS+ Services, do you have the cpass:http dictionary?

 

tacacs-dictionaries.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: CPPM TACACS

Yes it's there in the list (number 5).

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: CPPM TACACS

In your enforcement profile, do you have cpass:HTTP enabled in the Services tab?

 

enf-tacacs-cpasshttp.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: CPPM TACACS

This what I have under the profile -

profile.png

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: CPPM TACACS

You'll need to duplicate the profile since it's a built in one. Then add the cpass:HTTP to the "Selected Services" box and then you can add in the appropriate attribute in the Service Attributes area.

 

tacacs-cpasshttp.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: CPPM TACACS

I've made the change and it all looks ok from the CPPM end (no errors shown) however the browser login page is showing "Invalid Username or Password specified"

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: CPPM TACACS

If you are just trying to give Super Admin priveleges to ClearPass, try using the built-in [TACACS Super Admin] enforcement profile.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: CPPM TACACS

Sorry cappali, forgot to change the service attribute - I've now replaced it with one for the cpass:http with Super Administrator and its now working - thanks very much for your help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: