Security

last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM 6.9 cisco switch TACACS

This thread has been viewed 20 times
  • 1.  CPPM 6.9 cisco switch TACACS

    Posted Jul 03, 2021 02:11 PM
    Hey,

    I'm doing a new setup for our TACACS on the 6.9 code train, currently running 6.9.0 but will be going to 6.9.6 after clustering is enabled. However, I'm running into an issue with authorization with our cisco infrastructure.

    I have my enforcement profiles set up correctly, but what I'm not seeing is "do" commands show up in the authorization so they are being allowed.

    The enforcement profile I'm currently working on is one with priv 15 that allows show commands and int shut / no shut but nothing else. I am not allowing unmatched commands. When in priv exec, you can't do things like reload or write erase etc, but if you go into global config, it allows you to do "do reload" or "do write erase" which obviously is no good. When I look at the authorization list, I do not see the do or do-exec commands there. What gives? Haven't done a packet capture from clearpass but that's next.

    Any ideas?

    Edit-----

    Nevermind, I figured it out. I needed to remove

    aaa authorization commands 15 default group tacserver if-authenticated

    and added

    aaa authorization config-commands
    aaa authorization commands 15 default group tacserver



  • 2.  RE: CPPM 6.9 cisco switch TACACS

    Posted Jul 03, 2021 05:16 PM
    Nevermind


  • 3.  RE: CPPM 6.9 cisco switch TACACS

    Posted Jul 04, 2021 12:39 PM
    Make sure you also check out the Aruba Solutions Exchange:
    https://ase.arubanetworks.com/solutions/id/237 
     and
    https://ase.arubanetworks.com/solutions/id/80