Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How to change the Banner in TACACS when access the switches in CLI ?

This thread has been viewed 2 times

  • 1.  How to change the Banner in TACACS when access the switches in CLI ?

    Posted Jun 11, 2015 02:59 AM

    I have cllearpass with TACAS service and I need to change this banner :

     


    User Access Verification (Policy Manager)

     

     

     



  • 2.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 13, 2015 02:37 PM

    has anyone been able to modify the banner as well as the "UserName:" prompt?



  • 3.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 16, 2015 04:42 PM

    not sure if this is the banner you are looking for:Capture.JPG



  • 4.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 17, 2015 08:09 AM

    That isnt the banner i am referring to .  It is the banner when connecting to a cisco switch

     

     

    User Access Verification (Policy Manager)

    UserName:

     

     

    The username prompt command does not work when tacacs+ is enabled.



  • 5.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 17, 2015 08:40 AM

    Can you post your Cisco config?  I have no problem using CPPM TACACS with all of my Cisco routers.  This is the banner and login prompt I got:

    Capture.JPG

     



  • 6.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 17, 2015 08:44 AM

    aaa new-model
    aaa authentication username-prompt enter user id:
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ local

    tacacs-server host x.x.x.x key xxxxxxxxx



  • 7.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 17, 2015 09:01 AM

    Try this new Cisco IOS for TACACS configuration:

     

    1. Define your TACACS servers:
      tacacs server CP01
       address ipv4 x.x.x.x
       key 7 1234567890
      tacacs server CP02
      address ipv4 x.x.x.x
       key 7 1234567890
    2. Configure TACACS server group:
      aaa group server tacacs+ TACACS-CPPM
      server name CP01
       server name CP02
       ip tacacs source-interface GigabitEthernet0
    3. Configure aaa
      aaa authentication login default group TACACS-CPPM local
      aaa authentication enable default none
      aaa authorization config-commands
      aaa authorization exec default group TACACS-CPPM local
      aaa authorization commands 0 default group TACACS-CPPM none
      aaa authorization commands 1 default group TACACS-CPPM if-authenticated
      aaa authorization commands 15 default group TACACS-CPPM if-authenticated
      aaa accounting commands 15 default start-stop group TACACS-CPPM
      aaa accounting connection default start-stop group TACACS-CPPM

     



  • 8.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 17, 2015 10:13 AM

    i have determined that the username prompt change works up until i enter this command

     

    aaa authentication login default group tacacs-cppm local

     

    then this overrides the cisco commands

     

    User Access Verification (Policy Manager)

    UserName:

     

     



  • 9.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 17, 2015 11:50 AM

    This configuration works for my CPPM and other Linux base TACACS+, and I am sure it works for Cisco NAC because I got this configuration from Cisco NAC document.

     

    Two suggestions: upgrade your IOS, check your CPPM service, specially the enforcement profile.

    Have you tried this ASE:

    https://ase.arubanetworks.com/solutions/id/80

     



  • 10.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 17, 2015 01:18 PM

    i can't find any documentation raltiving to the username prompt

     

    User Access Verification (Policy Manager)

    UserName:

     

    aaa authentication username-prompt Username:

     

    prompt does nto reflect the command.  However, when tacacs is disabled the command works.



  • 11.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Nov 20, 2015 01:56 PM

    For your reference you can check following command reference which has some information about the command you are using:

     

    http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html#wp1018209

     

    Extracted from this link:

     

    Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances.

     

    The aaa authentication username-prompt command does not change any dialog that is supplied by a remote TACACS+ server.

     

    To change the prompt to the one you need you will have to do it from the Tacacs server side.

     

    my question is where in the CPPM do i change this?



  • 12.  RE: How to change the Banner in TACACS when access the switches in CLI ?

    Posted Oct 26, 2016 08:55 AM

    I am seeing this same thing on some Cisco switches that I am using ClearPass with to authorize TACACS+. Has anyone found a way to change this? Thank.