Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cisco Nexus role based TACACS with clearpass

This thread has been viewed 9 times

  • 1.  Cisco Nexus role based TACACS with clearpass

    Posted Oct 27, 2015 03:01 PM

    From my understanding the Cisco Nexus 7000 supports role based access control (RBAC) for authorization. So you can pass it network-admin or network-operator roles for authorization, something along the lines of shell:roles = "network-operator". I tried doing this via clearpass but I just get regular admin access. Has anyone gotten this to work and if so can you share your setup or any pointers please?

     

    Thank you



  • 2.  RE: Cisco Nexus role based TACACS with clearpass
    Best Answer

    Posted Oct 27, 2015 03:45 PM

    Errr, never mind. In the cisco docs I saw shell:roles="network-operator vdc-admin" and this didn't work.

     

    Then after I posted I found a doc that had "Network-Operator" with the caps, and this worked.

     

     



  • 3.  RE: Cisco Nexus role based TACACS with clearpass

    Posted Mar 30, 2016 10:55 AM

    Did you modify the shell TACACS dictionary yourself?  As the "roles" string is not built in the existing CPPM TACACS Shell dictionary.   I assume it would be a String type.

     

    Can you take a screenshot of the enforcement profile you have working with this?  

     

    Thanks.



  • 4.  RE: Cisco Nexus role based TACACS with clearpass

    Posted Mar 31, 2016 08:38 AM

    I did this as part of a proof of concept test so the configuration has been subsequently removed and sorry I don't remember all the details of getting it to work. I don't think I changed the tacacs dictionary though. If  can find out what I did to make it work I'll post it here.



  • 5.  RE: Cisco Nexus role based TACACS with clearpass

    Posted Apr 04, 2016 08:40 AM

    I tested with n5k, tried all different ways but unable to get it to work.  Debug result is not showing in ascii so i am able to figure out what's clearpass is sending to n5k.  Authentication is successful, but is not able to get network-admin to work.  

    Appreciate if anyone got it working can share the secret. 

    Thanks.

     

    Partial out of debug..

    2016 Apr 4 02:55:20.904327 tacacs: analyze_tac_resp_sent_aaa_resp_mts: entering for aaa session 0
    2016 Apr 4 02:55:20.904364 tacacs: analyze_tac_resp_sent_aaa_resp_mts:received resp(before decrypt):
    2016 Apr 4 02:55:20.904394 tacacs: in tac payload len:17
    2016 Apr 4 02:55:20.904424 tacacs: in tac payload(hex): c0 3 2 0 52 bb 8f 5a 0 0 0 5 a1 32 e1 48 1
    2016 Apr 4 02:55:20.904455 tacacs: tplus_decrypt: TPLUS_ENCRYPTED for aaa session 0
    2016 Apr 4 02:55:20.904493 tacacs: analyze_tac_resp_sent_aaa_resp_mts: received resp(after decrypt):
    2016 Apr 4 02:55:20.904522 tacacs: in tac payload len:17
    2016 Apr 4 02:55:20.904552 tacacs: in tac payload(hex): c0 3 2 0 52 bb 8f 5a 0 0 0 5 0 0 0 0 1
    2016 Apr 4 02:55:20.904583 tacacs: analyze_tac_resp_sent_aaa_resp_mts:TAC type and acct status : 0x3, 0x1 for aaa session 0
    2016 Apr 4 02:55:20.904623 tacacs: send_aaa_acct_pass_resp_mts: entering for aaa session 0