Wireless Access

Hi guys,

I am trying to access my controller with TACACS account and using ClearPass. I have configured the service in CPPM and my controller, but still not working. This is the configuration on my controller:

I don't know why I have my ClearPass TACACS server marked as "Out of Service".

In the Access Tracker I have a service rejected with the following cause:

It shows the protocol is RADIUS and not TACACS. Any clue?

Regards,

Julián

You have multiple problems:

- You should only have the ClearPass TACACS server in your server group.

- The Clearpass TACACS server is showing out of service because you probably did not set a TACACS+ key in ClearPass under Network> Devices> Aruba Controller

- For now, your "Default Role" on the controller should be root, because you are not returning any aruba-admin-user radius attribute.  Any authentication by a radius server that does not return that attribute gets the default role (no access).  You can lock that down when you get authentication working..

Hi Colin,

I have left only the ClearPass TACACS server in the server group. I already set a TACACS+ key for my controller in CPPM, but I have reconfirmed. And I changed the Default Role to root for my controller.

Now when I access my controller using my TACACS credentials shows "Log In failed" as before but now I see no service at all in the Access Tracker for that access.

Regards,

Julián

Does the TACACS server still register as out of service?  The controller might not try if that is the case....

No, I have created a new Server Group with only the TACACS server and it no out of service. Look at the configuration:

I don't know what is happening. Maybe with a debug command we can see what is happening?

Regards,

Julián

You should look in the access tracker and see if you see anything that would indicate what the problem is.  You should also look at Monitoring> Event Viewer in ClearPass to see if the key is mismatched or it is receiving the authentication on an unexpected interface..

That's the problem, there is no service or event related to TACACS request on both Access Tracker and Event Viewer now. It seems like the controller doesn't send any request to ClearPass. Because of that I wonder if there is any debug command to be issued on the controller to see if the controller is sending requests to ClearPass.

Regards,

Julián

What port do you a defined for the TACACS server on the Aruba Controller?

The default TCP 49. I have also tried to change to 4949 but still doesn't work.

Regards,

Julián

Please open a TAC case.

I will, it is very weird, because it seems the TACACS server is out of service even the controller GUI doesn't show that:

Many thanks anyway!

Regards,

Julián

Go into the TACACS server definition on the controller.  Edit it and change it to disable, click on apply and then enable and then click on apply.

Same results, I will open a TAC case. Thanks!

Regards,

Julián