I am testing the potential for ClearPass to replace old Cisco ACS for logins. I was using the solution exchange document/config that is out there, but on a 2960X Cisco switch. I am able to get a local account from ClearPass to authenticate, but I still have to type in the enable password. The ClearPass side appears to be configured the same as the screenshots the site has describes.
On the switch, the commands were applied (that worked):
aaa new-model
aaa group server tacacs+ HomeOffice
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host 10.x.x.x
tacacs-server directed-request
tacacs-server key 7 THEKEYUSED
This is under Access Tracker for the specific login used, under the policy tab in ClearPass:
Service Name : | Cisco Wired TACACS Service |
Authentication Source : | [Local User Repository] |
Role: | [User Authenticated], [TACACS Super Admin] |
Profiles: | TACACS Cisco Priv 15 |