Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM 6.9 cisco switch TACACS

This thread has been viewed 32 times

  • 1.  CPPM 6.9 cisco switch TACACS

    Posted Jul 03, 2021 02:11 PM
    Hey,

    I'm doing a new setup for our TACACS on the 6.9 code train, currently running 6.9.0 but will be going to 6.9.6 after clustering is enabled. However, I'm running into an issue with authorization with our cisco infrastructure.

    I have my enforcement profiles set up correctly, but what I'm not seeing is "do" commands show up in the authorization so they are being allowed.

    The enforcement profile I'm currently working on is one with priv 15 that allows show commands and int shut / no shut but nothing else. I am not allowing unmatched commands. When in priv exec, you can't do things like reload or write erase etc, but if you go into global config, it allows you to do "do reload" or "do write erase" which obviously is no good. When I look at the authorization list, I do not see the do or do-exec commands there. What gives? Haven't done a packet capture from clearpass but that's next.

    Any ideas?

    Edit-----

    Nevermind, I figured it out. I needed to remove

    aaa authorization commands 15 default group tacserver if-authenticated

    and added

    aaa authorization config-commands
    aaa authorization commands 15 default group tacserver


  • 2.  RE: CPPM 6.9 cisco switch TACACS

    Posted Jul 03, 2021 05:16 PM
    Nevermind


  • 3.  RE: CPPM 6.9 cisco switch TACACS

    Posted Jul 04, 2021 12:39 PM
    Make sure you also check out the Aruba Solutions Exchange:
    https://ase.arubanetworks.com/solutions/id/237 
     and
    https://ase.arubanetworks.com/solutions/id/80
    Original Message