Security

Reply
Contributor I
Posts: 38
Registered: ‎06-25-2013

Clearpass TACACs service setup

Hi Community,

 

I was wondering if you could advise me on how to setup a TACACs service on Clearpass.

 

The TACACs service would be used to authenticate users who want to log into switches with their AD account. The switches are Alcatel switches.

 

When I go to setup the service for TACACs. I select the “TACACS+ Enforcement” I am not sure how to setup the service rule/conditions that deals authentication requests coming from a device, but have come up with the following:

 

Would this service rule work:

 

Type=Authentication

Name=Source

Operator=BELONGS_TO

Value= This would be a static host list that has been created

I will then also enable “Authorization”

 

The static host list would be created based on subnet.

 

The authentication would then be AD

The authorization would then be AD

 

The roles would then be if “Authorization:AD:member of contains Technical”

 

I am not sure what would be used for enforcement as when I go to create this I get the following. Please see attached picture. 

 

 

 

What do I set for privilege level?

What do I set for selected services?

What do I set for authorize attribute service?

What do I set for service attributes?

 

What do I then set up for Enforcement policies?

 

I hope the above make senses and you guys can advise me further?

 

Many Thanks

Aruba Employee
Posts: 128
Registered: ‎04-24-2013

Re: Clearpass TACACs service setup

MVP
Posts: 554
Registered: ‎11-04-2011

Re: Clearpass TACACs service setup

And another example for ArubaOS switch in this video:

http://community.arubanetworks.com/t5/Video/Aruba-ClearPass-Workshop-Admin-Access-3-ArubaOS-switch-admin/ta-p/295525

 

Alcatel switch manual is here. It doesn't mention special requirements, so returning privilege level 15 and service Shell would be my first try. Then under commands 'Permit unmatched commands'. That is the pretty basic. Some switches require more specific information, like in the video we had to add priv-lvl=15 as a Service attribute to skip the enable prompt; but that is for ArubaOS switches specific.

 

Hope this helps you in the right direction.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor I
Posts: 38
Registered: ‎06-25-2013

Re: Clearpass TACACs service setup

Thank you for the suggestion. 

 

I have tried this and it has worked straight away. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: