AOS-CX Switch Simulator

 View Only
last person joined: yesterday 

Back to discussions
Expand all | Collapse all

ARUBA CX SImulator Tacacs Integration doesn't Work

This thread has been viewed 45 times

  • 1.  ARUBA CX SImulator Tacacs Integration doesn't Work

    Posted Oct 12, 2021 11:54 AM

    Dear All,

     

    I did some tests for future projects using GNS3 lab, here is the detail for the environment:

     

    1. GNS3 as Image orchestrator running on Virtual Box
    2. Aruba CX OVA simulator running on Virtual Box
    3. Tacacs GUI for TACACS+ Server running on Virtual Box
    4. Webterm as end device that will test SSH to Devices

     

    The topology is like this:

     

    the following is the command that I run on the ARUBA CX SWITCH.

     

    ssh server vrf default


    tacacs-server key plaintext tacacs1234


    tacacs-server host 10.1.1.100 vrf default


    aaa group server tacacs TACACS-GUI


    server 10.1.1.100 vrf default


    aaa authentication login default group TACACS-GUI local


    aaa authentication login ssh group TACACS-GUI local

     

     

    From the TACACS GUI LOG, PAP Authentication has been successful but access to the switch is still denied, as folows:

    Did I miss something?
    Thank you very much for the help. 

    Sincerely,Gibs

     

     

     

     

     

     



    ------------------------------
    Luthfi Naufal Gibrani
    ------------------------------


  • 2.  RE: ARUBA CX SImulator Tacacs Integration doesn't Work

    Posted Nov 03, 2021 01:50 AM
    i've also just had the same experience trying to run this from EVE into ClearPass.

    ------------------------------
    Scott Doorey
    ------------------------------

    Original Message


  • 3.  RE: ARUBA CX SImulator Tacacs Integration doesn't Work

    Posted Nov 04, 2021 03:24 AM
    tacacs-server host clearpass.selectium.local key plaintext pasword auth-type pap vrf mgmt
    !
    aaa group server tacacs Clearpass-Tacacs
    server clearpass.selectium.local vrf mgmt
    !
    !
    aaa authentication login default group Clearpass-Tacacs local
    aaa authorization commands default group Clearpass-Tacacs
    aaa accounting all-mgmt default start-stop group Clearpass-Tacacs

    On ClearPass side the enforcement profile is looking like this. Instead of priv-lvl you can also use roles. This would be even better, but for my case, priv-lvl is enough.

    Profile:
    Name:
    ArubaOS-CX TACACS Management RW Access
    Description:
    TACACS+ Management RW access for ArubaCX switches
    Type:
    TACACS+
    Action:
    Accept
    Device Group List:
    1. ArubaOS-CX switches
    Services:
    Privilege Level:
    15
    Selected Services:
    1. Shell
    2. Aruba:Common
    Authorize Attribute Status:
    ADD
    Custom Services:
    -
    Service Attributes
      Type Name = Value
    1. Shell priv-lvl = 15
    Commands:
    Service Type:
    shell
    Unmatched Commands:
    Permit
    Commands
      Command Arguments Permit Action Unmatched Arguments

    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------

    Original Message