Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

TACACS Authorization Fails - Big Cloud Fabric Controller

I setup a TACACS service to authenticate and authorize logins to a BCF controller.  The authentication  passes but I'm getting an alert about authorization is failing.  The alert error is "Tacacs service=shell:ip not enabled"; see attached pic for whole error.  Any thoughts?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: TACACS Authorization Fails - Big Cloud Fabric Controller

Is authentication working without authorization?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 18
Registered: ‎04-28-2009

Re: TACACS Authorization Fails - Big Cloud Fabric Controller

Navigate to the specific TACACS+ Enforcement profile in use and navigate to Services tab. Under Selected services, make sure 'Shell' is selected and try again. If this does not work, you may need to create and import a new TACACS dictionary(in xml) with the name 'shell:ip' that will have the attributes that Big Cloud Fabric controller is looking for. 

 

To import a TACACS dictionary, you may navigate to Administration --> Dictionaries --> Import. To get the xml tags, you may export any of the existing TACACS dictionary and replace its name and the attribute specific for this case.

 

 

 

 

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: TACACS Authorization Fails - Big Cloud Fabric Controller

That did the trick!  Thanks Vince.

 

In the "TacacsServiceDictionary" line, the name attribute was "BigSwitch".  I changed this to "shell:ip" and imported it.  Here's the whole thing for anyone that may have the same issue:

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Wed Feb 10 21:15:00 CST 2016" version="1.0"/>
<TacacsServiceDictionaries>
<TacacsServiceDictionary dispName="Big Switch Networks" name="shell:ip">
<ServiceAttribute dataType="String" dispName="BSN User Role" name="BSN-User-Role"/>
</TacacsServiceDictionary>
</TacacsServiceDictionaries>
</TipsContents>

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Occasional Contributor II
Posts: 39
Registered: ‎12-09-2016

Re: TACACS Authorization Fails - Big Cloud Fabric Controller

Thanks for this post...I'm trying to do the same, and followed these steps and still having issues.


CPPM active monitoring shows that there is successful authentication, but BCF login fails on the Big Switch side. Not sure if the enforcement policy is pushing an unknown attribute or not, but not working. 


Also, in the BCF controller, the TACACS server shows offline...although it is actually hitting the CPPM...so could be an issue with the BCF controller. Any help is appreciated. Thanks!

Aruba Employee
Posts: 18
Registered: ‎04-28-2009

Re: TACACS Authorization Fails - Big Cloud Fabric Controller

Hi David,

 

1. Did you import the Big Switch dictionary to CPPM as mentioned in the comment #3?

2. Do you see any alert in the CPPM access tracker during the authentication attempt?

3. If there is no alert, please check the Output tab in the access tracker for the radius attribute that CPPM enforced and let us know. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: