Security

Reply
Occasional Contributor II

Guide to configure TACACS on ArubaOS 6.1.3.6

Hi everyone--I'm still trying to get a handle on how to configure things in the Aruba controllers (used to the Cisco way of things...), and I'm trying to figure out how to configure TACACS to do my AAA.  In our other controllers, it's working fine, but there was no documentation left by the person who set them up a while ago...

 

Does anyone have a document that breaks it down?  Everything in ACS is ready to go, just need to get an idea of what to do in the Aruba side of things.

 

thanks all!

 

SJ

Scott A. Jones, CCVP
Network Architect
Orrick, Herrington and Sutcliffe LLP
Guru Elite

Re: Guide to configure TACACS on ArubaOS 6.1.3.6

I don't have a guide, but I can provide some commands:

 

### CONFIGURE YOUR TACACS SERVERS

 

aaa authentication-server tacacs "TACACS-SERVER-A"
   host 10.10.10.10
   key XXXXXX

 

 

### PUT YOUR TACACS SERVERS INTO A SERVER GROUP

 

aaa server-group "TACACS-SVR-GROUP"
 auth-server TACACS-SERVER-A
 auth-server TACACS-SERVER-B

### ENABLE TACACS FOR MGMT ACCESS AUTHENTICATION

 

aaa authentication mgmt
   server-group "TACACS-SVR-GROUP"
   default-role "no-access"

   enable

 

### ENABLE TACACS ACCOUNTING

 

aaa tacacs-accounting server-group TACACS-SVR-GROUP  mode enable command configuration

(options for command are: action, all, configuration, show)


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Guide to configure TACACS on ArubaOS 6.1.3.6

Cool.  I'll try it and let you know.

 

Thanks

 

SJ

Scott A. Jones, CCVP
Network Architect
Orrick, Herrington and Sutcliffe LLP
Occasional Contributor II

Re: Guide to configure TACACS on ArubaOS 6.1.3.6

So i put the commands in, and i'm still not able to use my active directory login...local account works (*sigh of relief*), but i'm still trying to understand why it wouldn't work...commands seemed to take with no issue.

Scott A. Jones, CCVP
Network Architect
Orrick, Herrington and Sutcliffe LLP
Guru Elite

Re: Guide to configure TACACS on ArubaOS 6.1.3.6

ACS may use MS-CHAP-v2. You can enable that under aaa authentication mgmt and then enter mschapv2.

 

You can look at the security log on the controller with the following command:

 

show log security all | include authmgr

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Guide to configure TACACS on ArubaOS 6.1.3.6

This is a new one...

 

Aug 28 01:32:30 :199802:  <ERRS> |authmgr|  tacplus.c, tacplus_api:49: Invalid a                                                                             uthentication protocol for TACACS+

 

ACS didn't show any requests at all from this particular device...looks like a call to Aruba TAC may be in order unless you have any insight into the issue at hand now...

 

Really appreciate the help.

Scott A. Jones, CCVP
Network Architect
Orrick, Herrington and Sutcliffe LLP
Guru Elite

Re: Guide to configure TACACS on ArubaOS 6.1.3.6

Try enabling MS-CHAP-v2.

 

Under aaa authentication mgmt, enter mschapv2


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Guide to configure TACACS on ArubaOS 6.1.3.6

hmm...still no luck.  i'll open a ticket with TAC and post once we figure out what's happening so that hopefully between your instructions and whatever the final fix is, the next person will have a lot less trouble.

 

Thanks Brad

 

SJ

Scott A. Jones, CCVP
Network Architect
Orrick, Herrington and Sutcliffe LLP
Aruba Employee

Re: Guide to configure TACACS on ArubaOS 6.1.3.6

Try chaning the default TACACS port from 49 to 4949.  To go with the previous explanation see the command below.

 

aaa authentication-server tacacs "TACACS-SERVER-A"
 host 10.10.10.10
 key XXXXXX

 tcp-port 4949

Occasional Contributor II

Re: Guide to configure TACACS on ArubaOS 6.1.3.6

anybody ever get this to work. im testing a mas s3500 now and just getting timeouts to our cisco acs tacacs server. thanks
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: