Security

last person joined: 12 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Shell Role for Nexus TACACS

Jump to Best Answer
  • 1.  Clearpass Shell Role for Nexus TACACS

    Posted Jun 07, 2017 08:53 AM

    I have been trying to determine how to add a shell role to pass a role to Nexus devices for TACACS authentication.  I found an earlier post below that was helpful but I cannot determine where one would add the shell role.  If anyone has any experience adding shell:roles your input would be greatly appreciated.  I assume this is done at the enforcement profile and perhaps you need to modify your TACACS dictionary?  Thanks!

     

    https://community.arubanetworks.com/t5/Security/Cisco-Nexus-role-based-TACACS-with-clearpass/td-p/250397



  • 2.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Jun 08, 2017 04:24 AM

    I don't have experience (nor a Nexus to test it in my lab), but found a few references that may help you get started:

     

    http://community.arubanetworks.com/t5/Security/Cisco-Nexus-role-based-TACACS-with-clearpass/td-p/250397

    And this page that has a debug/packet trace+analysis of a working and failing example to push TACACS+ roles:

    https://routing-bits.com/2011/08/28/cisco-nexus-user-roles-using-tacplus/

     

    It looks like you don't need to change the dictionary, and can just put the roles attribute in your Enforcement policy:

    nexus-roles.png

    I could not test it though, and you might need to test if the "quotes" are needed, which is suggested in the referenced articles.

     

    Can you please let us know if it worked for you?



  • 3.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Jun 08, 2017 03:00 PM

    enfprofile.PNGThis is great thank you for your input.  I am curious did you see role in the dropdown list initially? I do not see role as an option. 

     

     

     



  • 4.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Jun 08, 2017 03:37 PM

    Got you... so the 'drop down' that you show is also a textbox where you can just type the value roles in... Don't use the drop down, simply type.



  • 5.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Jun 15, 2017 10:49 AM

    I was able to create the service attribute however I am not being placed in the correct role on the Nexus device.  I am trying different syntax however I am wondering if some additional debugging may be needed.



  • 6.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Jun 15, 2017 10:53 AM

    The thing is I have two services.  I am not sure if that is causing the issue here.  If I remove the CiscoWLC:Common I am not sure that my other Cisco devices will function.

     

    enforcement.PNG

     



  • 7.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Jun 15, 2017 10:58 AM
    Use Device Groups with separate enforcement profiles.


  • 8.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Jun 16, 2017 09:59 AM

    Only one policy and be associated with a service correct? Would I need a rule in matching a device group in my policy to direct Nexus devices to a different enforcement profile?   Thanks for you input.



  • 9.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Jun 16, 2017 10:32 AM

    You can have a single Enforcement Policy per service, but each rule in the policy can have multiple Enforcement Profiles. By using device groups, and limiting the profile per device group, you can just put in all profiles. ClearPass will only return the attributes from the profiles that match the device group.

     

    Another approach may be to split up the services, one for the Nexuses and another for the other Cisco devices and see if you can match one of the sent attributes (or the device group) to make ClearPass select on or the other service.

     

    Either approach should work, and which one to pick is probably a matter of personal preference.



  • 10.  RE: Clearpass Shell Role for Nexus TACACS
    Best Answer

    Posted Jun 19, 2017 10:59 AM

    Success.  I got this working by using the enforcement profile below.  Thanks to everyone for their input.

     

     

    working Nexus.PNG



  • 11.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Apr 26, 2018 04:41 PM

    Yay Forums, that worked for me as well :-D

     



  • 12.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Mar 21, 2019 05:16 PM

    This helped with Cisco MDS as well, couldn't find the correct way to input this information in Clearpass!

    Screen Shot 2019-03-21 at 2.02.48 PM.png



  • 13.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Oct 23, 2019 05:25 AM

    Do you also know the correct entry for the Cisco Data Center Network Manager (DCNM) ?

    I tried with the version of duderino, but no luck so far.

    Thanks



  • 14.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Nov 01, 2019 10:58 AM

     

    As far as service attributes go, Duderino's example is what's working in my environment. Here's the rest of the enforcement profile.

     

    image.png



  • 15.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Dec 09, 2020 08:58 AM
    Hello!
    Did you get answer for this problem? I have same issue. :)

    ------------------------------
    Petri Kemppainen
    ------------------------------



  • 16.  RE: Clearpass Shell Role for Nexus TACACS

    Posted Dec 15, 2020 04:53 AM
    Did you try the suggestions above? It looks like people show how to return the attributes and report success.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------