Security

Reply
Frequent Contributor I
Posts: 68
Registered: ‎12-14-2012

TACACS for Manegment Users on Aruba Controller not matching VSA

Senario

Useing TACACS for Mgnt user access I always get root access regardless of what is sent back from CPPM - read-only does not work as it should.

 

I have a controller running AOS 6.1.34, Configured for TACACS to auth the mgmt users

 

----------------  AOS config --------------

 

aaa authentication-server tacacs "10.254.5.21"
   host 10.254.5.21
   key b8059de7fd5ba7390bf9256f791c9d61d2b11b7e69e07117
   session-authorization

 

!
aaa authentication mgmt
   server-group "tacacs"
   enable
!

 

----------  end AOS config -------\

 

On ClearPass I can see the Auth request hit access tracker and I see that it is useing the standard [Aruba TACACS Read-Only Access] enforcement profile

 

for a user that is not an admin I get full access when I log into the controller.   When I use an admin account it works as expected

 

Questions:

 

1. What is the logging to see the Admin user log in and the attributes sent back from ClearPass to confirm that the controller is receivig what Access tracker says is sent.

 

2. Did I miss something in the config ?

 

 

Guru Elite
Posts: 7,823
Registered: ‎09-08-2010

Re: TACACS for Manegment Users on Aruba Controller not matching VSA

[ Edited ]

Did you add the TACACS server to the server group?

 

 Also, you can try enabling these debug commands:

 

logging level debugging security process authmgr subcat aaa
logging level debugging security process aaa subcat aaa

 

 

show log security


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 68
Registered: ‎12-14-2012

Re: TACACS for Manegment Users on Aruba Controller not matching VSA

Yeah the CPPM is set up with a Shared Secret and the TACACS server on the controller is pointed to CPPM and under MNAAGMENT > Administration the TACACS is added as server Group  ( proved by the access tracker shows requests from the controller)

 

I will check aaa logs

Frequent Contributor I
Posts: 68
Registered: ‎12-14-2012

Re: TACACS for Manegment Users on Aruba Controller not matching VSA

so from the Security Logs you can see the itadmin get a VSA or root - and engineer gets a VSA of read-only but both users have full access to the WEB UI

 

 

Is there a way to check and see the admin users like you can for the Wireless users - Show user  or show user internal shows nothing

 

 

 

 

----------  start clip -----------

 

Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:440] tac_authen_pap_read: authentication ok
Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:270] tac_author_pap_send: user 'itadmin'(mgmt user), tty 'tty0', rem_addr '172.16.199.165', encrypt: yes
Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:341] tac_author_pap_send: written message of size 75
Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:706] TACACS server 10.254.5.21-10.254.5.21-49 response on port 75
Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:556] Total 1 args in author response
Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:574] tac_author_pap_read: authorization ok
Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:581] tac_author_pap_read: Aruba-Admin-Role: root
Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:595] tac_author_pap_read: Aruba-Admin-Role AVP created
Jan 21 05:35:37 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:107] seq_num_timeout_handler: Freed 0 entries
Jan 21 05:35:40 :126005:  <WARN> |wms| |ids| Interfering AP: The system classified an access point (BSSID 24:de:c6:55:ad:98 and SSID dba7c7ce8f87f3aa0953b14a613c55a on CHANNEL 36) as interfering. Additional Info: Detector-AP-Name:d8:c7:c8:ca:1e:01; Detector-AP-MAC:d8:c7:c8:21:e0:18; Detector-AP-Radio:1.
Jan 21 05:35:41 :126005:  <WARN> |wms| |ids| Interfering AP: The system classified an access point (BSSID 24:de:c6:55:ad:9a and SSID employee202-70 on CHANNEL 36) as interfering. Additional Info: Detector-AP-Name:d8:c7:c8:ca:1e:01; Detector-AP-MAC:d8:c7:c8:21:e0:18; Detector-AP-Radio:1.
Jan 21 05:35:47 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:107] seq_num_timeout_handler: Freed 0 entries
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:91] tac_authen_pap_send: user 'engineer'(mgmt user), tty 'tty0', rem_addr '172.16.199.165', encrypt: yes
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:162] tac_authen_pap_send: written message of size 51
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:706] TACACS server 10.254.5.21-10.254.5.21-49 response on port 75
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:440] tac_authen_pap_read: authentication ok
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:270] tac_author_pap_send: user 'engineer'(mgmt user), tty 'tty0', rem_addr '172.16.199.165', encrypt: yes
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:341] tac_author_pap_send: written message of size 76
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:706] TACACS server 10.254.5.21-10.254.5.21-49 response on port 75
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:556] Total 1 args in author response
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:574] tac_author_pap_read: authorization ok
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:581] tac_author_pap_read: Aruba-Admin-Role: read-only
Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:595] tac_author_pap_read: Aruba-Admin-Role AVP created
Jan 21 05:35:57 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:107] seq_num_timeout_handler: Freed 0 entries
Jan 21 05:36:37 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:107] seq_num_timeout_handler: Freed 0 entries

 

------------  end clip ---------

Guru Elite
Posts: 7,823
Registered: ‎09-08-2010

Re: TACACS for Manegment Users on Aruba Controller not matching VSA

[ Edited ]

You can try: 

 

show loginsessions

 

 

(south-7240-local1) #show loginsessions

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   cappalli   root       129.x.x.x      00:00:00   00:23:17

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 68
Registered: ‎12-14-2012

Re: TACACS for Manegment Users on Aruba Controller not matching VSA

interesting  after a reboot of the controller the read-only access restrictions are working

 

Before they were not

 

but you can see that CPPM is sending back the right VSA - role

 

 

 

----------  clip from cli ----------

 

(P3Controller1) #show loginsessions

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   admin      root       EIA-232          00:00:00   00:00:31
2   itadmin    root       172.16.199.249   00:00:00   00:00:47

(P3Controller1) #show loginsessions

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   admin      root       EIA-232          00:00:00   00:02:02
2   engineer   read-only  172.16.199.249   00:00:09   00:00:58

(P3Controller1) #show loginsessions

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   admin      root       EIA-232          00:00:00   00:04:11
2   test       read-only  172.16.199.249   00:00:12   00:00:22

(P3Controller1) #

 

----------  end clip ---------

New Contributor
Posts: 1
Registered: ‎04-02-2015

Re: TACACS for Manegment Users on Aruba Controller not matching VSA

i m also facing the same issue but with cisco ACS server. On Aruba controllers user getting  Root access only. Apart from reboot is there any other way to solve this issye


kkutz@kutztraining.com wrote:

interesting  after a reboot of the controller the read-only access restrictions are working

 

Before they were not

 

but you can see that CPPM is sending back the right VSA - role

 

 

 

----------  clip from cli ----------

 

(P3Controller1) #show loginsessions

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   admin      root       EIA-232          00:00:00   00:00:31
2   itadmin    root       172.16.199.249   00:00:00   00:00:47

(P3Controller1) #show loginsessions

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   admin      root       EIA-232          00:00:00   00:02:02
2   engineer   read-only  172.16.199.249   00:00:09   00:00:58

(P3Controller1) #show loginsessions

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   admin      root       EIA-232          00:00:00   00:04:11
2   test       read-only  172.16.199.249   00:00:12   00:00:22

(P3Controller1) #

 

----------  end clip ---------


 

Search Airheads
Showing results for 
Search instead for 
Did you mean: