Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎03-13-2014

Cisco ACE service modules to use Clearpass for authentication.

I am trying to set up ClearPass to be used for authentication on my Cisco ACE modules. I have configured the AAA on the Cisco device and I can log in. The ACE devices use role based access and it expects the server to send back a shell command to tell it what role the user is in. Within Cisco ACS that was easy. I am trying to find the same function in Clearpass.

 

Example from Cisco ACS server: shell:Admin*Admin default-domain

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Cisco ACE service modules to use Clearpass for authentication.

Create an enforcement profile and choose TACACS as the type. Then choose
shell from the service dropdown. Now can assign a privilege level.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 5
Registered: ‎03-13-2014

Re: Cisco ACE service modules to use Clearpass for authentication.

Thanks. Unfortunately the Privilege level is not understood by the Cisco ACE modules.

 

As you can see from below, the users are assigned roles not privelege levels. The default if the ACE does not receive any feedback is Network Monitor.

 

ACE-Core1/Admin# show users
User Context Line Login Time (Location) Role Domain(s)
*admin Admin pts/45 Mar 13 08:34 (192.168.69.65) Admin default-domain
jnel Admin pts/46 Mar 13 09:24 (10.12.5.36) Network-Monitor default-domain
ACE-Core1/Admin#

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Cisco ACE service modules to use Clearpass for authentication.

Sorry missed that.

 

So it looks like each context needs its own attribute. You could try creating a custom TACACS+ dictionary with these levels, but I would work with TAC on this.

 

shell:<context-name-1>
<role name> <domain>

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 5
Registered: ‎03-13-2014

Re: Cisco ACE service modules to use Clearpass for authentication.

Thanks. I am working with TAC. Still no solution yet. If we do find one, I will post the results here.

Occasional Contributor I
Posts: 5
Registered: ‎03-13-2014

Re: Cisco ACE service modules to use Clearpass for authentication.

Does not appear if TAC has any idea on how to resolve the issue. Anyone on here have any input? Surely someone out there has done this before.

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Cisco ACE service modules to use Clearpass for authentication.

My ACEs were recently retired so I haven't tested this, but try the following:

 

Name: insert name of context (admin,prod,etc)

Value: replace "role" with the ACE role, followed by "domain default-domain"

 

cppm-tacacs-ace.jpg

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Occasional Contributor I
Posts: 5
Registered: ‎03-13-2014

Re: Cisco ACE service modules to use Clearpass for authentication.

 

 

Thanks I will try that.

 

I have managed to make it work using Radius as well.

 

In your Enforcement provile

 

 you can use the following

 

 

 

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Cisco ACE service modules to use Clearpass for authentication.

Nice!  Thanks for posting that.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: