Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Aruba wireless controller TACACS to Cisco ISE for admin authentication

This thread has been viewed 15 times

  • 1.  Aruba wireless controller TACACS to Cisco ISE for admin authentication

    Posted Sep 17, 2018 03:50 PM

    Anyone have a how-to to configure an Aruba wireless controller admin authentication via TACACS to Cisco ISE?



  • 2.  RE: Aruba wireless controller TACACS to Cisco ISE for admin authentication

    EMPLOYEE
    Posted Sep 18, 2018 04:48 AM

     

    I don't have access to ISE, but the workflow should be similar to what you should do with ClearPass to setup a TACACS+ service. That is described in the TechNote Configuring a TACACS+ Service which can be found on the support website under ClearPass Tech Notes.

     

    Then, what isn't in the Tech Note, is that contents of the actual enforcement as that is preconfigured in ClearPass. 

     

    To return the root role via TACACS+ you will need the following information:

    [ArubaOS Wireless - TACACS Root Access] Services:
    Privilege Level:
    15
    Selected Services:
    1. Aruba:Common
    Authorize Attribute Status:
    ADD
    Custom Services:
    -
    Service Attributes
     
      Type Name = Value
    1. Aruba:Common Aruba-Admin-Role = root

     

     

    For Read-only access: it is the same, but instead of root, return the value read-only:

     
      Type Name = Value
    1. Aruba:Common Aruba-Admin-Role = read-only

    Please share what you had to do if you are able to make this work.



  • 3.  RE: Aruba wireless controller TACACS to Cisco ISE for admin authentication

    Posted Jan 24, 2019 09:04 AM

    I think the poster was looking more for CLI and/or webui sections for configuration.  I have done the Cisco side a few times and I was hoping to find similar documentation but AOS is slightly different thus the hard time translating Cisco IOS to AOS.  

    ******EDITED******

    *****This is the correct model for Authentication using cisco ISE

    ******EDITED******

     

    aaa new model

    aaa group server tacacs+ ISE

    server name ISE1

    server name ISE2 

    aaa authen login default group tacacs+ local

    tacacs-server ISE1

    address ipv4x.x.x.x

    key aruba

     

    Aruba config ?

    aaa authen mgmt

    enable

    server-group ISE

     

    aaa authentication-server tacacs ISE1

    enable

    host x.x.x.x

    key aruba

    session-authorization****** this is required for authorization

     

    aaa authentication-server tacacs ISE2

    enable

    host x.x.x.x

    key aruba

    session-authorization****** this is required for authorization

     

    aaa server-group ISE

    allow-fail-through

    auth-server ISE1  position 1

    auth-server ISE2 position 2

    auth-server internal position 3  

     

     

    ******EDITED******

    *****The correct TACACS profile for Authorization on Cisco ISE is captured in the attachments.*****  

    Default builtin Aruba roles:

    root                Super user role
    read-only           Read only commands
    location-api-mgmt   location-api-mgmt
    network-operations  network-operations
    guest-provisioning  guest-provisioning
    no-access           Default role, no commands are accessible for this role

     

    NOTES: DO NOT ADD THE ROOT ROLE TO YOUR ROOT USER.  THIS WILL APSS AUTHENTICATION AND AUTHORIZATION BUT FAIL TO LOG YOU INTO THE DEVICE.  KEEP IT WITH THE DEFAILT SETTINGS.  USE THE "SHOW LOGINSESSIONS" COMMAND TO VERIFY YOU ARE ASSIGNED THE PROPER ROLE.

     

    DONT FORGET TO ADD YOUR TEST USER INTO THE USER GROUP ASSOCIATED WITH THE AUTHORIZATION.

    ******EDITED******