Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎06-05-2012

Using CPPM for TACACS Authentication of Cisco Devices

[ Edited ]

Hi All,

 

We would like to use our Clearpass Server connected to our AD to do TACACS authentication for our cisco switches and routers.

 

I have followed the guide here:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Configuring-TACACS-on-ClearPass-for-Cisco-switches/m-p/207431#M15726

 

 But I have some questions:

 

1. where should i define the cisco switches ip?

  • enforcement service rule as i have done below
  • or in the enforcement profile's device group list

2. In our cisco switches, I have to configure a TACACS key, but I cannot find anywhere in the guide where will it be configured in our clearpass.

 

3. We want to define in our clearpass the list of AD IDs allowed to access the switches.

  • Do I have to add one enforcement policy rule for each username?
  • or any other way I can do it?

 

Configuration done in our clearpass server:

 Created Enforcement Profile
Created Enforcement Policy
Created Enforcement Policy Rule -> Authorization:XXX-AD:UserDN  CONTAINS  rowell)

Created TACACS+ Enforcement Service
Added TACACS+ Enforcement Service Rule -> Connection NAD-IP-Address EQUALS x.x.x.x
Added Authentication Sources: XXX-AD
Added Enforcement Policy

 

 

Thanks and more power to all.

Guru Elite
Posts: 8,196
Registered: ‎09-08-2010

Re: Using CPPM for TACACS Authentication of Cisco Devices

1+2) Both the IP and key go under Configuration > Network > Devices. You add each one in with the IP and key

 

3) Use role mapping to map groups/OUs, etc to TACACS tips role. Then reference those TIPS roles in your enforcement policy. There are built-in TIPS roles you can use, just build a role map for them.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 6
Registered: ‎06-05-2012

Re: Using CPPM for TACACS Authentication of Cisco Devices

thanks for the quick reply.

 

After creating the device/s, shall I create device group and add it in the enforcement profile device group list? Configuration » Enforcement » Profiles » Edit Enforcement Profile  » device group list 

 

Or add it where?

Regular Contributor II
Posts: 229
Registered: ‎09-11-2013

Re: Using CPPM for TACACS Authentication of Cisco Devices

Let me know Santi is this TACACS works for you. It isn't working for me, ClearPass only gives Prev level 15 regardless of what I put in the policy. i.e I have it where if you are a member of the AD domain admin group the profile is "prev 15" and if you are a member of the AD group helpdesk then you get the "prev 1" profile but so far both group members are getting prev level 15 when logging in to a cisco switch.

tried couple things but can't get ClearPass to push back  prev levels to the switch.

Guru Elite
Posts: 20,584
Registered: ‎03-29-2007

Re: Using CPPM for TACACS Authentication of Cisco Devices


--santi-- wrote:

thanks for the quick reply.

 

After creating the device/s, shall I create device group and add it in the enforcement profile device group list? Configuration » Enforcement » Profiles » Edit Enforcement Profile  » device group list 

 

Or add it where?


Santi,

 

Please look at the ASE configuration here:  https://ase.arubanetworks.com/solutions/id/80



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: