Security

Reply
Frequent Contributor I
Posts: 66
Registered: ‎05-12-2009

Clearpass Shell Role for Nexus TACACS

[ Edited ]

I have been trying to determine how to add a shell role to pass a role to Nexus devices for TACACS authentication.  I found an earlier post below that was helpful but I cannot determine where one would add the shell role.  If anyone has any experience adding shell:roles your input would be greatly appreciated.  I assume this is done at the enforcement profile and perhaps you need to modify your TACACS dictionary?  Thanks!

 

https://community.arubanetworks.com/t5/Security/Cisco-Nexus-role-based-TACACS-with-clearpass/td-p/250397

MVP
Posts: 554
Registered: ‎11-04-2011

Re: Clearpass Shell Role for Nexus TACACS

I don't have experience (nor a Nexus to test it in my lab), but found a few references that may help you get started:

 

http://community.arubanetworks.com/t5/Security/Cisco-Nexus-role-based-TACACS-with-clearpass/td-p/250397

And this page that has a debug/packet trace+analysis of a working and failing example to push TACACS+ roles:

https://routing-bits.com/2011/08/28/cisco-nexus-user-roles-using-tacplus/

 

It looks like you don't need to change the dictionary, and can just put the roles attribute in your Enforcement policy:

nexus-roles.png

I could not test it though, and you might need to test if the "quotes" are needed, which is suggested in the referenced articles.

 

Can you please let us know if it worked for you?

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Frequent Contributor I
Posts: 66
Registered: ‎05-12-2009

Re: Clearpass Shell Role for Nexus TACACS

[ Edited ]

enfprofileThis is great thank you for your input.  I am curious did you see role in the dropdown list initially? I do not see role as an option. 

 

 

 

MVP
Posts: 554
Registered: ‎11-04-2011

Re: Clearpass Shell Role for Nexus TACACS

Got you... so the 'drop down' that you show is also a textbox where you can just type the value roles in... Don't use the drop down, simply type.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Frequent Contributor I
Posts: 66
Registered: ‎05-12-2009

Re: Clearpass Shell Role for Nexus TACACS

I was able to create the service attribute however I am not being placed in the correct role on the Nexus device.  I am trying different syntax however I am wondering if some additional debugging may be needed.

Frequent Contributor I
Posts: 66
Registered: ‎05-12-2009

Re: Clearpass Shell Role for Nexus TACACS

[ Edited ]

The thing is I have two services.  I am not sure if that is causing the issue here.  If I remove the CiscoWLC:Common I am not sure that my other Cisco devices will function.

 

enforcement.PNG

 

Guru Elite
Posts: 8,798
Registered: ‎09-08-2010

Re: Clearpass Shell Role for Nexus TACACS

Use Device Groups with separate enforcement profiles.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 66
Registered: ‎05-12-2009

Re: Clearpass Shell Role for Nexus TACACS

Only one policy and be associated with a service correct? Would I need a rule in matching a device group in my policy to direct Nexus devices to a different enforcement profile?   Thanks for you input.

MVP
Posts: 554
Registered: ‎11-04-2011

Re: Clearpass Shell Role for Nexus TACACS

You can have a single Enforcement Policy per service, but each rule in the policy can have multiple Enforcement Profiles. By using device groups, and limiting the profile per device group, you can just put in all profiles. ClearPass will only return the attributes from the profiles that match the device group.

 

Another approach may be to split up the services, one for the Nexuses and another for the other Cisco devices and see if you can match one of the sent attributes (or the device group) to make ClearPass select on or the other service.

 

Either approach should work, and which one to pick is probably a matter of personal preference.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Frequent Contributor I
Posts: 66
Registered: ‎05-12-2009

Re: Clearpass Shell Role for Nexus TACACS

[ Edited ]

Success.  I got this working by using the enforcement profile below.  Thanks to everyone for their input.

 

 

working Nexus.PNG

Search Airheads
Showing results for 
Search instead for 
Did you mean: