I have been trying to determine how to add a shell role to pass a role to Nexus devices for TACACS authentication. I found an earlier post below that was helpful but I cannot determine where one would add the shell role. If anyone has any experience adding shell:roles your input would be greatly appreciated. I assume this is done at the enforcement profile and perhaps you need to modify your TACACS dictionary? Thanks!
I don't have experience (nor a Nexus to test it in my lab), but found a few references that may help you get started:
And this page that has a debug/packet trace+analysis of a working and failing example to push TACACS+ roles:
It looks like you don't need to change the dictionary, and can just put the roles attribute in your Enforcement policy:
I could not test it though, and you might need to test if the "quotes" are needed, which is suggested in the referenced articles.
Can you please let us know if it worked for you?
This is great thank you for your input. I am curious did you see role in the dropdown list initially? I do not see role as an option.
Got you... so the 'drop down' that you show is also a textbox where you can just type the value roles in... Don't use the drop down, simply type.
I was able to create the service attribute however I am not being placed in the correct role on the Nexus device. I am trying different syntax however I am wondering if some additional debugging may be needed.
The thing is I have two services. I am not sure if that is causing the issue here. If I remove the CiscoWLC:Common I am not sure that my other Cisco devices will function.
Only one policy and be associated with a service correct? Would I need a rule in matching a device group in my policy to direct Nexus devices to a different enforcement profile? Thanks for you input.
You can have a single Enforcement Policy per service, but each rule in the policy can have multiple Enforcement Profiles. By using device groups, and limiting the profile per device group, you can just put in all profiles. ClearPass will only return the attributes from the profiles that match the device group.
Another approach may be to split up the services, one for the Nexuses and another for the other Cisco devices and see if you can match one of the sent attributes (or the device group) to make ClearPass select on or the other service.
Either approach should work, and which one to pick is probably a matter of personal preference.
Success. I got this working by using the enforcement profile below. Thanks to everyone for their input.
Yay Forums, that worked for me as well :-D
This helped with Cisco MDS as well, couldn't find the correct way to input this information in Clearpass!
Do you also know the correct entry for the Cisco Data Center Network Manager (DCNM) ?
I tried with the version of duderino, but no luck so far.
As far as service attributes go, Duderino's example is what's working in my environment. Here's the rest of the enforcement profile.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.