Security

I have been trying to determine how to add a shell role to pass a role to Nexus devices for TACACS authentication.  I found an earlier post below that was helpful but I cannot determine where one would add the shell role.  If anyone has any experience adding shell:roles your input would be greatly appreciated.  I assume this is done at the enforcement profile and perhaps you need to modify your TACACS dictionary?  Thanks!

 

https://community.arubanetworks.com/t5/Security/Cisco-Nexus-role-based-TACACS-with-clearpass/td-p/250397

I don't have experience (nor a Nexus to test it in my lab), but found a few references that may help you get started:

 

http://community.arubanetworks.com/t5/Security/Cisco-Nexus-role-based-TACACS-with-clearpass/td-p/250397

And this page that has a debug/packet trace+analysis of a working and failing example to push TACACS+ roles:

https://routing-bits.com/2011/08/28/cisco-nexus-user-roles-using-tacplus/

 

It looks like you don't need to change the dictionary, and can just put the roles attribute in your Enforcement policy:

I could not test it though, and you might need to test if the "quotes" are needed, which is suggested in the referenced articles.

 

Can you please let us know if it worked for you?

This is great thank you for your input.  I am curious did you see role in the dropdown list initially? I do not see role as an option. 

 

 

 

Got you... so the 'drop down' that you show is also a textbox where you can just type the value roles in... Don't use the drop down, simply type.

I was able to create the service attribute however I am not being placed in the correct role on the Nexus device.  I am trying different syntax however I am wondering if some additional debugging may be needed.

The thing is I have two services.  I am not sure if that is causing the issue here.  If I remove the CiscoWLC:Common I am not sure that my other Cisco devices will function.

 

 

Use Device Groups with separate enforcement profiles.

Only one policy and be associated with a service correct? Would I need a rule in matching a device group in my policy to direct Nexus devices to a different enforcement profile?   Thanks for you input.

You can have a single Enforcement Policy per service, but each rule in the policy can have multiple Enforcement Profiles. By using device groups, and limiting the profile per device group, you can just put in all profiles. ClearPass will only return the attributes from the profiles that match the device group.

 

Another approach may be to split up the services, one for the Nexuses and another for the other Cisco devices and see if you can match one of the sent attributes (or the device group) to make ClearPass select on or the other service.

 

Either approach should work, and which one to pick is probably a matter of personal preference.

Success.  I got this working by using the enforcement profile below.  Thanks to everyone for their input.

 

 

Yay Forums, that worked for me as well :-D

 

This helped with Cisco MDS as well, couldn't find the correct way to input this information in Clearpass!

Do you also know the correct entry for the Cisco Data Center Network Manager (DCNM) ?

I tried with the version of duderino, but no luck so far.

Thanks

 

As far as service attributes go, Duderino's example is what's working in my environment. Here's the rest of the enforcement profile.

 

Hello!
Did you get answer for this problem? I have same issue. :)

------------------------------
Petri Kemppainen
------------------------------

Original Message:
Sent: Oct 23, 2019 05:25 AM
From: Michael Arnold
Subject: Clearpass Shell Role for Nexus TACACS

Do you also know the correct entry for the Cisco Data Center Network Manager (DCNM) ?

I tried with the version of duderino, but no luck so far.

Thanks

Did you try the suggestions above? It looks like people show how to return the attributes and report success.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Dec 09, 2020 08:58 AM
From: Petri Kemppainen
Subject: Clearpass Shell Role for Nexus TACACS

Hello!
Did you get answer for this problem? I have same issue. :)

------------------------------
Petri Kemppainen

Original Message:
Sent: Oct 23, 2019 05:25 AM
From: Michael Arnold
Subject: Clearpass Shell Role for Nexus TACACS

Do you also know the correct entry for the Cisco Data Center Network Manager (DCNM) ?

I tried with the version of duderino, but no luck so far.

Thanks