Security

Reply
Occasional Contributor II

Configuring TACACS+ on ClearPass for Cisco switches

I would like to use ClearPass to configure TACACS+ for Cisco switch authentication to Windows Active Directory.


Does anyone have any advice or documentation on how to do this?

Aruba

Re: Configuring TACACS+ on ClearPass for Cisco switches

You can use the start here and at the top there is a link to use the 1. To generate sample Services for common use cases, go here. this has sample TACACS.

Im currently working on one for ASE and will post an update when done.

https://ase.arubanetworks.com
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

I can't find the TACACS article.

Please update once you have completed it :-)

Aruba

Re: Configuring TACACS+ on ClearPass for Cisco switches

The solution is now posted on ASE.

 

https://ase.arubanetworks.com/solutions/id/80

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

Awesome, that looks great.

 

Quick question: If TACACS is unavailable, will the "Accounting" part of the configuration still allow a locally configured user account to logon and gain access to priviledged mode and config mode?

Aruba

Re: Configuring TACACS+ on ClearPass for Cisco switches

Yes it will fail through. If the server is unavailable then it will auth locally. You will just need to setup a local account on the switch also.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

I've tried exactly the same config in a test scenario, and it doesn't work.

I get this:

 

Authorization Requests Messages
 Command - -
Error Message: No enforcement profiles matched to perform command authorization
Error Group: Tacacs authorization
 Alerts for this Request:

Tacacs server Tacacs service=shell not enabled

Aruba

Re: Configuring TACACS+ on ClearPass for Cisco switches

What model of switch and iOS?

Sounds like you don't have the proper settings in the enforcement.

Take a look at the screen shots in the hoe to and see if your enforcement matches. I've seen different variables used in different models and even iOS version. Unfortunately Cisco was not consistent on the return attribute that are needed.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

3750 ... 12.2 IOS and 15 (I'm testing on 15).

 

 

 

 

Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

As a matter of interest, what do these lines of the Cisco config actually mean?

 

aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

 

Thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: