Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

This thread has been viewed 3 times

  • 1.  Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

    Posted Apr 28, 2016 10:21 AM

    Our organization has both Prime Infrastructure (for wireless) as well as Prime (CiscoWorks) LMS for all of our routing/switching equipment.  Prime Infrastructure has an easy method to download a TACACS or RADIUS task list that I was able to add into Policy Manager to map a user into a definied role in the tool.  I am not able to find this same task list with the CiscoWorks LMS tool.

     

    I have asked Cisco and they have not been able to assist me with this and was wondering if anyone in the community has a working example of what the enforcement profile syntax would look like from the service attributes perspective.



  • 2.  RE: Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

    MVP
    Posted May 02, 2016 08:03 PM

    I am not at work right now, but we are using ClearPass RADIUS to authenticate Cisco Prime users using the Cisco Prime roles..

     

    Is there any specific reason you wish to use TACACS?



  • 3.  RE: Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

    MVP
    Posted May 03, 2016 08:20 AM

    When using RADIUS, the Cisco Prime roles control the access details. The CPPM Enforcement Profile is quite simple. You need to return, at a minimim, 2 attributes.

     

    For example,

    Radius:Cisco Cisco-AVPair = NCS:role0=Admin

    Radius:Cisco Cisco AVPair = NCS:virtual-domain0=ROOT-DOMAIN

     

    This is for a Prime Admin user, of course.

    You can see the role information by going to:

    Administration / Users / Users, Roles, & AAA / User Groups and click on the Task List link beside the desired role.  The top line is the role information needed. Note that this page says

      "If the size of the RADIUS attributes on your AAA server is more than 4096 bytes, Please copy ONLY role attributes,PI will retrieve the associated TASKS"

    This is the key to simplify this. I believe TACACS would need to sent all the Custom Attributes. 

     

    There is a Cisco authentication document online, focussed on Cisco ACS. Contact me off-list if you want a link. I hesitate to post a competitor's link on this forum. 



  • 4.  RE: Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

    Posted May 03, 2016 08:50 AM

    I am not having an issue with Prime.  I have successfully ported the custom task list from Prime into the service attributes in ClearPass.

     

    My issue is with CiscoWorks LMS.  There is no task list option for this tool and no concept of root-domain.  With that being said, I was hoping someone had experience setting up LMS in ClearPass.



  • 5.  RE: Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

    Posted Jun 28, 2017 12:50 PM

    Hi Joseph, 

     

    May I ask if you were ever able to have TACACS authorization done for LMS in ClearPassPM?

     

    I'm trying to do the same thing now so was curious if you did figure it out and how I can find the attributes.

     

    thank you!

    Nicole



  • 6.  RE: Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

    Posted Apr 17, 2018 10:50 AM

    I'm gunna add a big Me Too :-D

    Both CPI and CPLMS here, migrating away from CSACS to ClearPass.

     

    Was there a TACACS Dictionary you loaded, or did you just pound in the AV Pair list?