Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Drop Cisco IOS user directly in to priv 15 / enable mode w/ ClearPass

This thread has been viewed 34 times

  • 1.  Drop Cisco IOS user directly in to priv 15 / enable mode w/ ClearPass

    Posted Dec 10, 2020 08:10 PM

    Hi there,

    I am attempting to create a service within ClearPass that permits or denies certain commands for Cisco IOS users using TACACs.

    The command Authorization works great, some commands are permitted, some are denied.

    But my issues is that I can't get users to be dropped directly in to priv 15 / enabled mode like I am able to with Cisco ISE.

    Switch Config:

    aaa group server tacacs+ CLEARPASS-TACACS
server name CLEARPASS1
server name CLEARPASS2
ip vrf forwarding NMS
ip tacacs source-interface Vlan10
!
aaa authentication login default group CLEARPASS-TACACS local
aaa authentication enable default group CLEARPASS-TACACS enable
aaa authorization config-commands
aaa authorization exec deafult group CLEARPASS-TACACS local if-authenticated
aaa authorization commands 1 default group CLEARPASS-TACACS local if-authenticated
aaa authorization commands 15 default group CLEARPASS-TACACS local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group CLEARPASS-TACACS
aaa accounting commands 15 default start-stop group CLEARPASS-TACACS
aaa accounting connection default start-stop group CLEARPASS-TACACS
aaa accounting system default start-stop group CLEARPASS-TACACS
!
tacacs server CLEARPASS1
address ipv4 10.0.10.22
key 7 xxxxxx
tacacs server CLEARPASS2
address ipv4 10.0.10.21
key 7 xxxxxx
!
!
!
!
line con 0
line vty 5 15

    Below is the Enforcement Profile that my user is hitting:

    Aruba ClearPass Cisco IOS TACACs Profile
    I ran a 'debug AAA Authorization' on the Cisco switch.
    Lines 1 and 2 are displayed when I log in (still in user exec priv1).
    Lines 3 - 7 are displayed when I type 'enable' and successfully enter my password

    1 Mar 30 04:17:26.400: AAA/BIND(0000002D): Bind i/f
2 Mar 30 04:17:26.467: AAA/AUTHOR (0000002D): Method list id=0 not configured. Skip author
3 Mar 30 04:17:28.656: AAA/AUTHOR: auth_need : user= 'jdoe' ruser= 'switch2'rem_addr= '10.0.0.52' priv= 0 list= '' AUTHOR-TYPE= 'commands'
4 Mar 30 04:17:28.656: AAA: parse name=tty3 idb type=-1 tty=-1
5 Mar 30 04:17:28.656: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
6 Mar 30 04:17:28.665: AAA/MEMORY: create_user (0x40B03A4) user='jdoe' ruser='NULL' ds0=0 port='tty3' rem_addr='10.0.0.52' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
7 Mar 30 04:17:31.248: AAA/MEMORY: free_user (0x40B03A4) user='jdoe' ruser='NULL' port='tty3' rem_addr='10.0.0.52' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)​


    Anybody able to tell me what I am missing?

    I only want users of THIS Enforcement profile to be granted Priv 15 immediately. I have other users which I am happy for them to stay locked down in Priv 1, as that is all they are granted.




    ------------------------------
    Regards,

    BrettVerney
    ------------------------------


  • 2.  RE: Drop Cisco IOS user directly in to priv 15 / enable mode w/ ClearPass

    Posted Dec 13, 2020 06:25 PM
    It might be that despite your TACACS attribute the switch is only applying priv level 1. Could you double check the value that IOS is expecting to see in the response e.g. case sensitive? If it is incorrect then the switch might be silently ignoring that attribute.




    Original Message


  • 3.  RE: Drop Cisco IOS user directly in to priv 15 / enable mode w/ ClearPass
    Best Answer

    Posted Jan 13, 2021 09:01 PM
    OK this is embarrassing.

    There was a typo trying to reference one of the default method lists:

    aaa authorization exec deafult group CLEARPASS-TACACS local if-authenticated​

    I spelt 'default' wrong, so it was looking for a method list that didn't exist!

    I fixed this and now users are dropped in to the correct privilege level.

    -Brett

    ------------------------------
    Regards,

    BrettVerney
    ------------------------------

    Original Message