Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Cisco DNA Center WebUI Login (TACACS)

Jump to Best Answer
This thread has been viewed 41 times
  • 1.  Cisco DNA Center WebUI Login (TACACS)

    Posted Jan 26, 2021 10:04 AM

    Hello,

    I'm trying to configure TACACS login using AD credentials to Cisco DNA Center using ClearPass, but struggling to get the correct syntax. In DNA Center's config it states - 


    "The value of the AAA attribute to be configured for authorization on AAA server would be in the format of "Role=role1". On ISE server, choose the cisco-av-pair attribute from cisco specific AAA attributes list. A sample configuration inside Authorization profile would look like "cisco-av-pair= Role=SUPER-ADMIN-ROLE".

    An example configuration in the case of manually defining the AAA attribute would be "Cisco-AVPair=Role=SUPER-ADMIN-ROLE"."


    I've tried using the Shell service with cisco-av-pair attribute and various values including the role name of "SUPER-ADMIN-ROLE" and the role value of "Role=role2" and simply just "role2". None of these combinations seemed to work, so I created a new TACACS service called "Cisco-AVPair" to match the same from DNA Center with Role attribute and value of both role name and number, but neither of those appear to work either. 

    Wondering if anybody set this up successfully or any suggestions on what I may be missing?

    Thanks in advance! 



    ------------------------------
    Michael Haring
    ------------------------------


  • 2.  RE: Cisco DNA Center WebUI Login (TACACS)

    Posted Jul 26, 2021 11:10 AM
    Michael,

    Did you ever resolve this?  I am able to auth TACACS just fine on all Cisco devices, but having a hell of a time getting the actual DNA Center to auth to ClearPass.  I've tried what you have adding the Cisco-AVPair and confirming that "all shell commands not listed are permitted" is checked, however im still getting the following error message in ClearPass:

    --Authorization Requests Messages--
    *Command*--
    Error Message:  No enforcement profiles matched to perform command authorization
    Error Group:  Tacacs authorization
    *Alerts for this Request:*
    Tacacs server:  Tacacs service=cas-service not enabled


    I'm stumped but hopefully you figured out the proper settings and can save the day!  Thanks, and Happy Friday.

    -Chris

    ------------------------------
    Chris Chovanec
    ------------------------------



  • 3.  RE: Cisco DNA Center WebUI Login (TACACS)
    Best Answer

    Posted Jul 26, 2021 03:48 PM
    Hi Chris,

    I was unable to get TACACS to work properly, so i transitioned the setup to use RADIUS instead. I was able to get this working with the following setup: Set "Radius:Cisco = Cisco-AVPair = Role=SUPER-ADMIN-ROLE".

    There are additional roles in DNA Center that can be setup, but we only leverage the one.

    I hope this helps!


    ------------------------------
    Michael Haring

    AirHeads MVP 2017, 2019-2021
    ------------------------------



  • 4.  RE: Cisco DNA Center WebUI Login (TACACS)

    Posted 22 days ago
    Was able to get TACACS working!

    Need to update the tacacs services dictionary with cas-service. 

    In the enforcement profile, services tab, I exported the current dictionary (link top right), added the following line into that xml, and then updated dictionary with the updated xml.
        <TacacsServiceDictionary dispName="cas-service" name="cas-service"/>

    After that, I backed out of the enforcement profile and opened it back up.  Now under the services tab, I could select cas-service.  Then under the services attributes, i added cas-service with name "Cisco-AVPair" and value "Role=SUPER-ADMIN-ROLE"



    Cheers

    ------------------------------
    Nick Bb
    ------------------------------