Security

Hi,

Does anyone know of a list of supported vendors on CPPM? Using TACACS and RADIUS with vendor specific attributes? 

Regards,

Z.

Try this question which was recently posted:

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Clearpass-Query/m-p/47582

Thanks for that list - i have calls out with Aruba for F5 and Fortinet as we can't get it working with either. We can get the authentication but not passing back the vendor specific attributes. I am sure when we get it working we will be able to add F5 to that list.

Regards,

Z

This is what I have for Fortinet:

VENDOR Fortinet 12356

BEGIN-VENDOR Fortinet
ATTRIBUTE Fortinet-Group-Name 1 string
ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr
ATTRIBUTE Fortinet-Vdom-Name 3 string
ATTRIBUTE Fortinet-Client-IPv6-Address 4 octets
ATTRIBUTE Fortinet-Interface-Name 5 string
ATTRIBUTE Fortinet-Access-Profile 6 string

And this is what I found for F5 (from http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431):

VENDOR F5 3375
BEGIN-VENDOR F5

ATTRIBUTE F5-LTM-User-Role 1 integer
ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
ATTRIBUTE F5-LTM-User-Partition 3 string
ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh, and bpsh
ATTRIBUTE F5-LTM-User-Context-1 10 integer
ATTRIBUTE F5-LTM-User-Context-2 11 integer
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string

VALUE F5-LTM-User-Role Administrator 0
VALUE F5-LTM-User-Role Resource-Admin 20
VALUE F5-LTM-User-Role User-Manager 40
VALUE F5-LTM-User-Role Auditor 80
VALUE F5-LTM-User-Role Manager 100
VALUE F5-LTM-User-Role App-Editor 300
VALUE F5-LTM-User-Role Operator 400
VALUE F5-LTM-User-Role Guest 700
VALUE F5-LTM-User-Role Policy-Editor 800
VALUE F5-LTM-User-Role No-Access 900

VALUE F5-LTM-User-Role-Universal Disabled 0
VALUE F5-LTM-User-Role-Universal Enabled 1

VALUE F5-LTM-User-Console Disabled 0
VALUE F5-LTM-User-Console Enabled 1

END-VENDOR F5

Thanks - we worked with Gowri on Friday and managed to get F5 working. The Fortinet doesn't seem to be sending and authorization request after the authentication request so taking that up with our Fortinet support.

Our Fortinet attributes from their website:

TACACS+ Server AV pairs
service=fortigate
memberof=<TACACS+ group>
admin_prof=<Required Acc Profile>

And for F5 we have:

   <ServiceAttribute dataType="String" dispName="F5-LTM-User-Info-1" name="F5-LTM-User-Info-1" />

   <ServiceAttribute dataType="String" dispName="F5-LTM-User-Console" name="F5-LTM-User-Console" />

   <ServiceAttribute dataType="String" dispName="F5-LTM-User-Role" name="F5-LTM-User-Role" />

   <ServiceAttribute dataType="String" dispName="F5-LTM-User-Partition" name="F5-LTM-User-Partition" />

I appreciate everyone's input.

Cheers,

Z

Hi!

Same question for CheckPoint (VPN).

Thanks you in advance!!

Thomas

tschloss - sorry we have binned all our Checkpoints so haven't had to get that vendor working on CPPM.

We do have Sourcefire, Juniper, Fortigate, F5, Cisco, Avocent, Aruba and Citrix..... that's more than enough :)

Z.

How about Juniper netscreen SSG? Anyone can get it to work for TACACS+?