Security

Hello,

I am working on a NAC project where the client is migrating to MS Azure AD and Intune.
At the moment, we successfully integrated ClearPass with Intune (trough Intune extension), and Azure AD for SSO with SAML and Guest Social login with OAuth2.

Now we are trying to configure TACACS+ for secure login to network devices.
Is there any other way to add Azure AD to ClearPass Authentication sources and use it for TACACS+ Auth source other than LDAPS (enabling MS Azure AD Domain Services)? Maybe with some Extension or API, using Oauth2 protocol?

For example, similarly as it is done with the Intune, where you configure Authentication Source Type HTTP and point Base URL to Intune Extension IP.

Thanks for any thoughts!



------------------------------
Kestutis Viršilas
------------------------------

You should use SSH public key authentication. Legacy authentication methods should never be used.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Jun 01, 2021 06:26 AM
From: Kestutis Viršilas
Subject: Azure AD as ClearPass Authentication Source for TACACS+

Hello,

I am working on a NAC project where the client is migrating to MS Azure AD and Intune.
At the moment, we successfully integrated ClearPass with Intune (trough Intune extension), and Azure AD for SSO with SAML and Guest Social login with OAuth2.

Now we are trying to configure TACACS+ for secure login to network devices.
Is there any other way to add Azure AD to ClearPass Authentication sources and use it for TACACS+ Auth source other than LDAPS (enabling MS Azure AD Domain Services)? Maybe with some Extension or API, using Oauth2 protocol?

For example, similarly as it is done with the Intune, where you configure Authentication Source Type HTTP and point Base URL to Intune Extension IP.

Thanks for any thoughts!



------------------------------
Kestutis Viršilas
------------------------------

Hi Tim,

fully agree with your point, but there is always a BUT :) 

Most customers use TACACS because they do not want to share and sync public keys among all of their devices and update them if access rights are changing or revoked. This is where TACACS came into play. With TACACS you can manage access rights through a central database without the need to touch every device if something is changing. 
If we could combine public key and TACACS, this would be the best option at all. 
What do you think?

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
------------------------------

Original Message:
Sent: Jun 01, 2021 04:08 PM
From: Tim C
Subject: Azure AD as ClearPass Authentication Source for TACACS+

You should use SSH public key authentication. Legacy authentication methods should never be used.

------------------------------
Tim C

Original Message:
Sent: Jun 01, 2021 06:26 AM
From: Kestutis Viršilas
Subject: Azure AD as ClearPass Authentication Source for TACACS+

Hello,

I am working on a NAC project where the client is migrating to MS Azure AD and Intune.
At the moment, we successfully integrated ClearPass with Intune (trough Intune extension), and Azure AD for SSO with SAML and Guest Social login with OAuth2.

Now we are trying to configure TACACS+ for secure login to network devices.
Is there any other way to add Azure AD to ClearPass Authentication sources and use it for TACACS+ Auth source other than LDAPS (enabling MS Azure AD Domain Services)? Maybe with some Extension or API, using Oauth2 protocol?

For example, similarly as it is done with the Intune, where you configure Authentication Source Type HTTP and point Base URL to Intune Extension IP.

Thanks for any thoughts!



------------------------------
Kestutis Viršilas
------------------------------

Then you should use SSH certificates.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Aug 19, 2021 12:47 AM
From: Florian Baaske
Subject: Azure AD as ClearPass Authentication Source for TACACS+

Hi Tim,

fully agree with your point, but there is always a BUT :) 

Most customers use TACACS because they do not want to share and sync public keys among all of their devices and update them if access rights are changing or revoked. This is where TACACS came into play. With TACACS you can manage access rights through a central database without the need to touch every device if something is changing. 
If we could combine public key and TACACS, this would be the best option at all. 
What do you think?

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de

Original Message:
Sent: Jun 01, 2021 04:08 PM
From: Tim C
Subject: Azure AD as ClearPass Authentication Source for TACACS+

You should use SSH public key authentication. Legacy authentication methods should never be used.

------------------------------
Tim C

Original Message:
Sent: Jun 01, 2021 06:26 AM
From: Kestutis Viršilas
Subject: Azure AD as ClearPass Authentication Source for TACACS+

Hello,

I am working on a NAC project where the client is migrating to MS Azure AD and Intune.
At the moment, we successfully integrated ClearPass with Intune (trough Intune extension), and Azure AD for SSO with SAML and Guest Social login with OAuth2.

Now we are trying to configure TACACS+ for secure login to network devices.
Is there any other way to add Azure AD to ClearPass Authentication sources and use it for TACACS+ Auth source other than LDAPS (enabling MS Azure AD Domain Services)? Maybe with some Extension or API, using Oauth2 protocol?

For example, similarly as it is done with the Intune, where you configure Authentication Source Type HTTP and point Base URL to Intune Extension IP.

Thanks for any thoughts!



------------------------------
Kestutis Viršilas
------------------------------

Wasn't aware that something like this exists but it is exactly what is needed to replace username/password auth in larger IT departments. Thanks for the hint.

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
------------------------------

Original Message:
Sent: Aug 19, 2021 12:20 PM
From: Tim C
Subject: Azure AD as ClearPass Authentication Source for TACACS+

Then you should use SSH certificates.

------------------------------
Tim C

Original Message:
Sent: Aug 19, 2021 12:47 AM
From: Florian Baaske
Subject: Azure AD as ClearPass Authentication Source for TACACS+

Hi Tim,

fully agree with your point, but there is always a BUT :) 

Most customers use TACACS because they do not want to share and sync public keys among all of their devices and update them if access rights are changing or revoked. This is where TACACS came into play. With TACACS you can manage access rights through a central database without the need to touch every device if something is changing. 
If we could combine public key and TACACS, this would be the best option at all. 
What do you think?

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de

Original Message:
Sent: Jun 01, 2021 04:08 PM
From: Tim C
Subject: Azure AD as ClearPass Authentication Source for TACACS+

You should use SSH public key authentication. Legacy authentication methods should never be used.

------------------------------
Tim C

Original Message:
Sent: Jun 01, 2021 06:26 AM
From: Kestutis Viršilas
Subject: Azure AD as ClearPass Authentication Source for TACACS+

Hello,

I am working on a NAC project where the client is migrating to MS Azure AD and Intune.
At the moment, we successfully integrated ClearPass with Intune (trough Intune extension), and Azure AD for SSO with SAML and Guest Social login with OAuth2.

Now we are trying to configure TACACS+ for secure login to network devices.
Is there any other way to add Azure AD to ClearPass Authentication sources and use it for TACACS+ Auth source other than LDAPS (enabling MS Azure AD Domain Services)? Maybe with some Extension or API, using Oauth2 protocol?

For example, similarly as it is done with the Intune, where you configure Authentication Source Type HTTP and point Base URL to Intune Extension IP.

Thanks for any thoughts!



------------------------------
Kestutis Viršilas
------------------------------