I am trying to set up ClearPass to be used for authentication on my Cisco ACE modules. I have configured the AAA on the Cisco device and I can log in. The ACE devices use role based access and it expects the server to send back a shell command to tell it what role the user is in. Within Cisco ACS that was easy. I am trying to find the same function in Clearpass.
Example from Cisco ACS server: shell:Admin*Admin default-domain
Thanks. Unfortunately the Privilege level is not understood by the Cisco ACE modules.
As you can see from below, the users are assigned roles not privelege levels. The default if the ACE does not receive any feedback is Network Monitor.
ACE-Core1/Admin# show usersUser Context Line Login Time (Location) Role Domain(s)*admin Admin pts/45 Mar 13 08:34 (192.168.69.65) Admin default-domainjnel Admin pts/46 Mar 13 09:24 (10.12.5.36) Network-Monitor default-domainACE-Core1/Admin#
Sorry missed that.
So it looks like each context needs its own attribute. You could try creating a custom TACACS+ dictionary with these levels, but I would work with TAC on this.
shell:<context-name-1> <role name> <domain>
Thanks. I am working with TAC. Still no solution yet. If we do find one, I will post the results here.
Does not appear if TAC has any idea on how to resolve the issue. Anyone on here have any input? Surely someone out there has done this before.
My ACEs were recently retired so I haven't tested this, but try the following:
Name: insert name of context (admin,prod,etc)
Value: replace "role" with the ACE role, followed by "domain default-domain"
Thanks I will try that.
I have managed to make it work using Radius as well.
In your Enforcement provile
you can use the following
Nice! Thanks for posting that.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.
