Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎03-11-2014

TACACS+ For Cisco to replace ACS

I am testing the potential for ClearPass to replace old Cisco ACS for logins. I was using the solution exchange document/config that is out there, but on a 2960X Cisco switch. I am able to get a local account from ClearPass to authenticate, but I still have to type in the enable password. The ClearPass side appears to be configured the same as the screenshots the site has describes.

 

On the switch, the commands were applied (that worked):

 

aaa new-model
aaa group server tacacs+ HomeOffice
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common

 

tacacs-server host 10.x.x.x
tacacs-server directed-request
tacacs-server key 7 THEKEYUSED

 

This is under Access Tracker for the specific login used, under the policy tab in ClearPass:

Service Name :
Cisco Wired TACACS Service
Authentication Source :
[Local User Repository]
Role:
[User Authenticated], [TACACS Super Admin]
Profiles:
TACACS Cisco Priv 15

 

Guru Elite
Posts: 21,490
Registered: ‎03-29-2007

Re: TACACS+ For Cisco to replace ACS

I am not sure if the ASE article mentions bypassing the enable prompt.

 

You might be looking for the command:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html

 

aaa authentication enable default enable



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎03-11-2014

Re: TACACS+ For Cisco to replace ACS

I tried that and it didnt work, but then I continued to remove and add commands regaridng aaa. I eventually ended up with what we use in production with ACS.

 

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

 

That still did not work.....so I took a look at my Service on ClearPass and compared it to ACS. There really wasnt a big difference, but I decided to play around with the ClearPass Enforcement Profile service attributes. That worked.

 

I added in as a service attribute Type:Shell  Name: priv-lvl = Value: 15.

 

The next time I tried to login, it skipped the enable prompt :)

 

 

Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

Re: TACACS+ For Cisco to replace ACS

Mark your last post as the solution if you can, so others can see. Great job! I love using CPPM as a replacement for ACS!

Search Airheads
Showing results for 
Search instead for 
Did you mean: