With ClearPass 6.7.0+, we can perform management authentication into ClearPass using external TACACS+ server, which was not an option on ClearPass to the versions prior to that.
ClearPass now provides the capability to send management TACACS+ authentication to an external TACACS+ server and accept the TACACS+ response with attribute from the server in order to provide admin access privilege to the users logging into the module.
In order to configure ClearPass to send management authentication request to an external TACACS server, please navigate to Administration » Server Manager » Server Configuration » Cluster-Wide Parameters as shown below:
Please navigate to tab named "TACACS", where you could mention your remote server IP and the TACACS shared secret key.
[Please note in current example, I have taken external TACACS server as another ClearPass server]
On the external TACACS server [ClearPass], I had created a service which will return back cpass:HTTP > AdminPrivilege = Super Administrator upon authentication as shown below:
Similarly we could return TACACS Help Desk, TACACS Network Admin, TACACS Read-Only etc. as required.
Please Note : Even if you are using any other external TACACS server, ClearPass expects the above mentioned attribute to allow the users to login
Once you have configured, please try logging into the ClearPass server. You can see a TACACS request initiated to the remote server IP and in our case here we can see a request on the external ClearPass server.
Note- Important: Even if we specify the external TACACS server for management authentication, ClearPass always checks its own Admin repository first when a management login is attempted. Only if the user failed to look up in the local Admin database a TACACS request is initiated to external server. This will make sure users can still login to GUI in case if external TACACS server goes down.
Note- Important: In case of cluster, this will be applied to all the ClearPass servers in a cluster.