Security

Reply
Contributor I

Cisco Nexus role based TACACS with clearpass

From my understanding the Cisco Nexus 7000 supports role based access control (RBAC) for authorization. So you can pass it network-admin or network-operator roles for authorization, something along the lines of shell:roles = "network-operator". I tried doing this via clearpass but I just get regular admin access. Has anyone gotten this to work and if so can you share your setup or any pointers please?

 

Thank you

Contributor I

Re: Cisco Nexus role based TACACS with clearpass

Errr, never mind. In the cisco docs I saw shell:roles="network-operator vdc-admin" and this didn't work.

 

Then after I posted I found a doc that had "Network-Operator" with the caps, and this worked.

 

 

Occasional Contributor I

Re: Cisco Nexus role based TACACS with clearpass

Did you modify the shell TACACS dictionary yourself?  As the "roles" string is not built in the existing CPPM TACACS Shell dictionary.   I assume it would be a String type.

 

Can you take a screenshot of the enforcement profile you have working with this?  

 

Thanks.

Contributor I

Re: Cisco Nexus role based TACACS with clearpass

I did this as part of a proof of concept test so the configuration has been subsequently removed and sorry I don't remember all the details of getting it to work. I don't think I changed the tacacs dictionary though. If  can find out what I did to make it work I'll post it here.

New Contributor

Re: Cisco Nexus role based TACACS with clearpass

I tested with n5k, tried all different ways but unable to get it to work.  Debug result is not showing in ascii so i am able to figure out what's clearpass is sending to n5k.  Authentication is successful, but is not able to get network-admin to work.  

Appreciate if anyone got it working can share the secret. 

Thanks.

 

Partial out of debug..

2016 Apr 4 02:55:20.904327 tacacs: analyze_tac_resp_sent_aaa_resp_mts: entering for aaa session 0
2016 Apr 4 02:55:20.904364 tacacs: analyze_tac_resp_sent_aaa_resp_mts:received resp(before decrypt):
2016 Apr 4 02:55:20.904394 tacacs: in tac payload len:17
2016 Apr 4 02:55:20.904424 tacacs: in tac payload(hex): c0 3 2 0 52 bb 8f 5a 0 0 0 5 a1 32 e1 48 1
2016 Apr 4 02:55:20.904455 tacacs: tplus_decrypt: TPLUS_ENCRYPTED for aaa session 0
2016 Apr 4 02:55:20.904493 tacacs: analyze_tac_resp_sent_aaa_resp_mts: received resp(after decrypt):
2016 Apr 4 02:55:20.904522 tacacs: in tac payload len:17
2016 Apr 4 02:55:20.904552 tacacs: in tac payload(hex): c0 3 2 0 52 bb 8f 5a 0 0 0 5 0 0 0 0 1
2016 Apr 4 02:55:20.904583 tacacs: analyze_tac_resp_sent_aaa_resp_mts:TAC type and acct status : 0x3, 0x1 for aaa session 0
2016 Apr 4 02:55:20.904623 tacacs: send_aaa_acct_pass_resp_mts: entering for aaa session 0

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: