Technology Blog

Authenticate Cisco Prime via ClearPass

Guest Blogger

In multi-vendor environments successful interoperation is a major concern for customers. It is vital that products work together, the Networking equivalent of ‘Everyone play nicely together’ for the good of all. Happily, this blog details one such case of harmonious living, namely between Aruba ClearPass and Cisco Prime.

 

When using Cisco Prime you have the option to configure authentication to a remote AAA server via RADIUS or TACACS+. I configured Cisco Prime to use Aruba ClearPass as remote AAA server based on the TACACS+ protocol. The configuration of an AAA server in Cisco Prime is very straightforward.

 

Configure the AAA Mode Setting under Administration / Users / Users, Role & AAA / AAA Mode Settings to enable TACACS+ authentication.

enable-tacacs.png

The next step involves adding Aruba ClearPass as TACACS+ servers via the option menu Administration / Users / Users, Role & AAA / TACACS+ Servers.

add-tacacs-server.png

Of course, you to add the Cisco Prime appliance as NAD device to your ClearPass configuration, so Prime and ClearPass are able to communicate via TACACS+. I configured a TACACS+ service in ClearPass, which uses Active Directory as Authentication source and a Role Mapping to map the "Prime Administrator" AD Security Group to the role [Cisco Prime] At first I configured a simple TACACS+ Enforcement Profile. I used the same Enforcement Profile, which I also use to enforce privilege level 15 to switches and routers.

priv-15.png

Authentication will fail at this point. In the Access Tracker I get the following error message: Tacacs service=NCS:HTTP not enabled. The login screen from Cisco Prime shows the following error message.

cisco-prime-login-error.png

I created a new Enforcement Profile and selected the TACACS+ Services NCS:HTTP. Now I see an access granted in the Access Tracker, but I still get the same error message on the Cisco Prime website. After some digging in Cisco Prime I noticed that Cisco Prime needs to receive TACACS+ attributes from the AAA server to grant access and assign privileges and tasks to the user.

 

First you need to get the TACACS+ attributes from the Virtual Domain configuration. In the menu options navigate to Administration \ Users \ Virtual Domains. At the upper right corner, you have the option to “Export Custom Attributes”.

cisco-prime-virtual-domain-export.png

These attributes need to be configured in ClearPass.

 

As you notice you also need to configure these attributes if you would like to use RADIUS as the authentication protocol.

 

You also need to add the attributes from the user group. Navigate to Administration / Users / Users, Role & AAA / User Groups. Click the “Task List” option next to the User Group you would like to use. I use Root in this example.

cisco-prime-user-group-export.png

The User Group Root contains 194 tasks, which need to be added to the Enforcement Profile in ClearPass. Below you see a snippet from the Enforcement Profile configuration.

cisco-prime-enf-profile.png

Adding all the attributes to the Enforcement Profiles assigns the correct authorization for your administrator users in Cisco Prime.

 

To make it easy, I exported the Enforcement Profile including all the 194 tasks for the Root User Group. You can download the Enforcement Profile in PDF format below. Just save the profile as XML and import the profile into ClearPass and you are good to go!!!

Comments
Frequent Contributor II

It is much easier to authenticate Cisco Prime using RADIUS instead of TACACS+.

The Enforcement Profile only needs to reference the Prime role & domain.

For example,

 

1.Radius:CiscoCisco-AVPair=NCS:role0=Admin
2.Radius:CiscoCisco-AVPair=NCS:virtual-domain0=ROOT-DOMAIN
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Read all about it! If it’s happening now, it’s in the community.

Check out the latest blogs from your community team, the community experts and other industry sources.
Labels