Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎12-19-2012

TACACS with ClearPass Policy Manager

Hey there,

So, I am using CPPM for TACACS+ authentication with our Cisco infrastructure... Works great... I can configure CPPM to place me ether into userexec mode or privilagedexec mode directly with no issues... Authenticates with AD perfectly... I was curious though, if anyone knows how to configure ClearPass Policy Manager to be used for the enable password on, say a Cisco switch...? On a Cisco switch I would configure this AAA line:  

aaa authentication enable default group tacacs+ local

Per the above config, the Cisco switch will forward enable mode password requests to CPPM, but where in CPPM do I enable it to accept this? I can see under "Devices" there is a tab for CLI that has a Enable Password section, but I don't think that is the correct way to configure this...

Thanks in advance!!

Occasional Contributor I
Posts: 6
Registered: ‎12-19-2012

Re: TACACS with ClearPass Policy Manager

FYI, we are running CPPM 5.2...

 

Thanks!

Guru Elite
Posts: 20,348
Registered: ‎03-29-2007

Re: TACACS with ClearPass Policy Manager

[ Edited ]

Edit:

 

Nevermind.  Wrong answer.

 

To clarify, you want to forward the Enable Password Request to CPPM so that CPPM responds with the enable password?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,636
Registered: ‎04-13-2009

Re: TACACS with ClearPass Policy Manager

 I had seen this setup with FreeRadius outside of CPPM at one time, and I seem to remember a username being created in a local DB (username would show up in that failed request in Access Tracker) with a password of the enable password.   When you enable the above command on the Cisco side, what do you see in Access Tracker for that failed attempt?   It should show you a username logon attempt; does it show a service type of Nas-Prompt-User?     

 

If you can get this from a failed attempt in Access Tracker; maybe you can then create a Service around that user/service type and a corresponding Enforcement Profile of type TACACS+ Based Enforcement; returning a Privilege Level of 15 and Selected Services as Shell.   Again, I have not done this before, but just trying to match up CPPM to a traditional FreeRadius configuration.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 6
Registered: ‎12-19-2012

Re: TACACS with ClearPass Policy Manager

To answer cjoseph, yes, you are correct... I want CPPM to be used for sending Cisco infrastructure authentication on to AD, and I also want CPPM to authenticate the enable password (via a local account like clembo said) if possible...

 

Thanks clembo for your great points... here is what I see when I, after entering the enable password on a Cisco switch with the AAA command above entered, within CPPM:

 

Incorrect password for user='xxx' @ Active Directory(dc.ourdomain.com).
Failed to authenticate user=xxx

 

So it looks like CPPM is matching the enable password authentication request to the same rule that is used for AD authentication... Would I need to create another Service (above the AD service), like you said clembo, and have that refer the enable password request to a local account?

 

Thanks for your help!

Occasional Contributor I
Posts: 6
Registered: ‎12-19-2012

Re: TACACS with ClearPass Policy Manager

One more clarification... when I authenticate to a Cisco switch and it matches correctly on the TACACS AD auth rule and I get into the switch... I then try and go into enable mode and, where with the previous post I tried using the local enable password, I just now tried using my AD password for the enable password and this is what it said in the log:

 

Authentication Request Messages
Error Category:  Tacacs authentication
Error Code:  Authentication privilege level mismatch

Alerts for this Request :
Tacacs server Requested priv_level= greater than Max Allowed priv_level=

Any ideas?

Occasional Contributor I
Posts: 6
Registered: ‎12-19-2012

Re: TACACS with ClearPass Policy Manager

Sorry for the repeated postings... :smileyhappy: But I thought I should clarify, I would prefer that the enable password is local to CPPM verses using my AD password...

 

Thanks!

Occasional Contributor I
Posts: 6
Registered: ‎12-19-2012

Re: TACACS with ClearPass Policy Manager

Any other ideas? I am able to get the enable password authentication request to work through CPPM, alas, it is my AD password, which I just entered for user-mode authentication... So, currently, I can authentication via CPPM and also authenticate the enable PW as well through CPPM, but I don't want the enable password to be derived from AD, I want the enable PW to be a local account on CPPM instead, thus making it, A) more secure per it being a different PW then my AD and B) not the local(to the device) enable PW per if I want to change the enable PW, I wouldn't have to do it on each individual device, I could just go into CPPM and change it once for everything... Does that make sense?

 

When I watch the logs when I authenticate with the enable PW, it show's an authentication request that looks identical to the initial username\password authentication on the switch... So, I am not sure how I\ if I could create a separate service that would somehow catch the enable authentication part and point it to a local Username\Password...

 

Thanks for your help!

Guru Elite
Posts: 20,348
Registered: ‎03-29-2007

Re: TACACS with ClearPass Policy Manager

Okay.  Let's be clear:

 

What is the purpose of a machine entering an enable password if you don't want someone to have exec privilegees?

 

Everyone that is in an AD group that you want to have Exec privileges, just let CPPM return privilege 15.  Everybody else, do not, and just allow them to have a subset of privileges.  That way nobody knows the enable password.  What else do you want to accomplish and how many levels do you want to enforce?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 32
Registered: ‎06-30-2009

Re: TACACS with ClearPass Policy Manager

 

eyeofthebeholder,

 

Sorry, I can't answer your question. More or less I am trying to get to where you are at now. We are tying to do a PoC on using ClearPass TACACS as an ACS replacement. I do not see too many detailed guide to the TACACS service config. Just some general stuff on the features but no REAL examples.

 

The enforcement profiles & polices are very "grey" when it comes to info on TACACS, so I am curious what you setup???

 

Can you share some of your setup steps to help me along?

 

Thanks

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: