Wireless Access

Reply
Super Contributor I

NAD TACACS Access with CPPM

Hi guys,

 

I am trying to access my controller with TACACS account and using ClearPass. I have configured the service in CPPM and my controller, but still not working. This is the configuration on my controller:

config_admin.PNG

servergroup.PNG

 

I don't know why I have my ClearPass TACACS server marked as "Out of Service".

In the Access Tracker I have a service rejected with the following cause:

cppmside.PNG

cppmsidea.PNG

 

It shows the protocol is RADIUS and not TACACS. Any clue?

 

Regards,

Julián

Guru Elite

Re: NAD TACACS Access with CPPM

You have multiple problems:

 

- You should only have the ClearPass TACACS server in your server group.

- The Clearpass TACACS server is showing out of service because you probably did not set a TACACS+ key in ClearPass under Network> Devices> Aruba Controller

- For now, your "Default Role" on the controller should be root, because you are not returning any aruba-admin-user radius attribute.  Any authentication by a radius server that does not return that attribute gets the default role (no access).  You can lock that down when you get authentication working..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I

Re: NAD TACACS Access with CPPM

Hi Colin,

 

I have left only the ClearPass TACACS server in the server group. I already set a TACACS+ key for my controller in CPPM, but I have reconfirmed. And I changed the Default Role to root for my controller.

Now when I access my controller using my TACACS credentials shows "Log In failed" as before but now I see no service at all in the Access Tracker for that access.

 

Regards,

Julián

Guru Elite

Re: NAD TACACS Access with CPPM

Does the TACACS server still register as out of service?  The controller might not try if that is the case....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I

Re: NAD TACACS Access with CPPM

No, I have created a new Server Group with only the TACACS server and it no out of service. Look at the configuration:

servergroup2.PNG
config_admin2.PNG

 

I don't know what is happening. Maybe with a debug command we can see what is happening?

 

Regards,

Julián

Guru Elite

Re: NAD TACACS Access with CPPM

You should look in the access tracker and see if you see anything that would indicate what the problem is.  You should also look at Monitoring> Event Viewer in ClearPass to see if the key is mismatched or it is receiving the authentication on an unexpected interface..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I

Re: NAD TACACS Access with CPPM

That's the problem, there is no service or event related to TACACS request on both Access Tracker and Event Viewer now. It seems like the controller doesn't send any request to ClearPass. Because of that I wonder if there is any debug command to be issued on the controller to see if the controller is sending requests to ClearPass.

 

Regards,

Julián

Guru Elite

Re: NAD TACACS Access with CPPM

What port do you a defined for the TACACS server on the Aruba Controller?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I

Re: NAD TACACS Access with CPPM

The default TCP 49. I have also tried to change to 4949 but still doesn't work.

 

Regards,

Julián

Guru Elite

Re: NAD TACACS Access with CPPM

Please open a TAC case.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: