Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TACACS+ For Cisco to replace ACS

This thread has been viewed 1 times

  • 1.  TACACS+ For Cisco to replace ACS

    Posted Mar 10, 2015 05:04 PM

    I am testing the potential for ClearPass to replace old Cisco ACS for logins. I was using the solution exchange document/config that is out there, but on a 2960X Cisco switch. I am able to get a local account from ClearPass to authenticate, but I still have to type in the enable password. The ClearPass side appears to be configured the same as the screenshots the site has describes.

     

    On the switch, the commands were applied (that worked):

     

    aaa new-model
    aaa group server tacacs+ HomeOffice
    aaa authentication login default group tacacs+ local
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ none
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa session-id common

     

    tacacs-server host 10.x.x.x
    tacacs-server directed-request
    tacacs-server key 7 THEKEYUSED

     

    This is under Access Tracker for the specific login used, under the policy tab in ClearPass:

    Service Name :
    Cisco Wired TACACS Service
    Authentication Source :
    [Local User Repository]
    Role:
    [User Authenticated], [TACACS Super Admin]
    Profiles:
    TACACS Cisco Priv 15

     



  • 2.  RE: TACACS+ For Cisco to replace ACS

    EMPLOYEE
    Posted Mar 10, 2015 05:19 PM

    I am not sure if the ASE article mentions bypassing the enable prompt.

     

    You might be looking for the command:

    http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html

     

    aaa authentication enable default enable



  • 3.  RE: TACACS+ For Cisco to replace ACS
    Best Answer

    Posted Mar 10, 2015 08:36 PM

    I tried that and it didnt work, but then I continued to remove and add commands regaridng aaa. I eventually ended up with what we use in production with ACS.

     

    aaa new-model
    aaa authentication login default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa session-id common

     

    That still did not work.....so I took a look at my Service on ClearPass and compared it to ACS. There really wasnt a big difference, but I decided to play around with the ClearPass Enforcement Profile service attributes. That worked.

     

    I added in as a service attribute Type:Shell  Name: priv-lvl = Value: 15.

     

    The next time I tried to login, it skipped the enable prompt :)

     

     



  • 4.  RE: TACACS+ For Cisco to replace ACS

    Posted Mar 11, 2015 05:14 PM

    Mark your last post as the solution if you can, so others can see. Great job! I love using CPPM as a replacement for ACS!