Security

 View Only
last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass TACACS+ Login for Cisco ACI Fabric

This thread has been viewed 62 times

  • 1.  ClearPass TACACS+ Login for Cisco ACI Fabric

    MVP
    Posted Feb 18, 2021 02:30 PM
    Hi all,

    We are deploying Cisco's ACI Fabric and wanted to setup TACACS+ login using ClearPass, but struggling to figure out the proper TACACS+ response for the environment. We don't have any custom roles in ACI, here is what we were able to find in the ACI config:

     rbac role "ops"

        priv ops

        exit

      rbac role "nw-svc-admin"

        priv nw-svc-device,nw-svc-devshare,nw-svc-policy

        exit

      rbac role "nw-svc-params"

        priv nw-svc-params

        exit

      rbac role "admin"

        priv admin

        exit

    We have a working Cisco Prime Infrastructure environment leveraging RADIUS login and they reference NCS Roles, which includes:

    Radius:Cisco Cisco-AVPair = NCS:role0=Help desk Admin

    I tried setting up a similar profile referring to RBAC Roles such as:

    Shell cisco-av-pair = rbac:role=admin

    Unfortunately this did not work. Does anybody have experience with ACI TACACS+ setup in ClearPass? 

    Thanks for the help!

    ------------------------------
    Michael Haring
    ------------------------------


  • 2.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric
    Best Answer

    MVP
    Posted Feb 19, 2021 02:26 AM

    Hi Michael,

    I don't have much experience with Cisco ACI, however what i would suggest is to Import Radius Dictionary of the ACI in the Radius Dictionary on Clearpass, under Administration > Dictionaries > RADIUS.
    From what i saw on ISE with ACI Integration, TACACS External Logging is configured through REST API, where you create a destination group:

    Maybe this link can be helpfull: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/rest_cfg/2_1_x/b_Cisco_APIC_REST_API_Configuration_Guide.pdf 
    and 
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Configuring_TACACS_RADIUS_LDAP_for_ACI_Access.html#task_D0D8572AB60745F1BFEFE0A2800A1749

    Also, when configuring with ISE usually the assigned role has a shell command of:

    shell:domains = all/admin/ 
    or 
    shell:domains = all/read-all/

    Hope this might have been helpfull.



    ------------------------------
    Shpat Berzati
    Network & Systems Integrator
    InterAdria
    Prishtina Kosovo
    +38345945000
    ------------------------------

    Original Message


  • 3.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    MVP
    Posted Feb 19, 2021 09:44 AM
    That worked, that was the exact documentation I needed. Thanks for the help!

    ------------------------------
    Michael Haring

    Kudos is always appreciated!
    ------------------------------

    Original Message


  • 4.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    Posted Oct 05, 2022 10:45 AM
    Hello,
    How did your enforcement profile ended up looking? i'm really struggling , got it to work with ISE and regular windows NPS. but not with clearpass..
    Original Message


  • 5.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    MVP
    Posted Oct 05, 2022 11:09 AM
    Our enforcement profile is Priv level 1 (normal), Selected services = Shell, Authorize attribute status = Add, then in the lower portion, it is Shell cisco-av-pair = shell:domains=all/admin/

    Hopefully that helps!

    ------------------------------
    Michael Haring
    ------------------------------

    Original Message


  • 6.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    Posted Oct 05, 2022 11:14 AM
    Thanks :) i actually Just made it work earlier today :)


    Get Outlook for Android<https: aka.ms/ghei36="">


    Original Message


  • 7.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    Posted Jan 31, 2024 11:22 AM 
    Good morning, how is it working?, I inserted the same parameters but when I log in, it tells me access is denied

    Profile

    Original Message


  • 8.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    Posted Feb 01, 2024 06:08 AM
    Hello,
    Use this, not Cisco AV-Pair. this works for me.
    [cid:32fe4f08-a1f9-4414-bd53-1769751e7b44]


    Original Message


  • 9.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    Posted Feb 01, 2024 10:26 AM

    Hello,

    Do this , this works  :)

    dont use Cisco AV-Pair


    Original Message


  • 10.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    Posted Jul 26, 2023 10:58 AM

    Im still having a little trouble getting this working.  Can you please add a screen shot of your settings.

    This is what I have and cant get it to work.


    Original Message


  • 11.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    MVP
    Posted Aug 30, 2023 05:09 PM

    Try shell:domains = all/read-all/



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------

    Original Message