This how-to configures RADIUS authentication on an AVOCENT ACS6000 console server running v184.108.40.206 firmware and integrating their authentication with a Clearpass version v220.127.116.11162 via Radius.
The AVOCENT device will be configured to give admin access to the users that belong to a specific Active Directory group.
We do not need the Avocent ACS Dictionary installed inside Clearpass because we will use Radius: IETF standard attributes
Using device groups for everything in Clearpass is the best option to organize devices. This step is OPTIONAL
VERY IMPORTANT STEP: The Users Group named "admin" is configured by default inside your AVOCENT devices. You could define a different Users group name (for example the “group-access-console-port-one"). Then, you should define the additional Users Group inside the AVOCENT devices assigning the specific privileges to the group.
VERY IMPORTANT STEP: You could define additional Rules (repeating the Rule creation Steps) to associate the remaining user groups with other AD groups following your convenience.
VERY IMPORTANT NOTE: You could reach the same goal using the condition Connection:NAD-IP-Address "BELONGS_TO_GROUP" "ACS AVOCENT". The Key here is that the Value corresponds with the Device Group Name you defined previously.
With this steps we have finished the ClearPass initial configuration needed for integrate with the Avocent device. The configuration could be extended with more roles with different privileges to comply with your organization needs.
The configuration steps below will be done through the GUI.
Also we will include the CLI commands, but they will be simply listed, assuming enough Avocent CLI knowledge (it is a bit tricky and it is not very well documented).
Change the Security Profile to use "Port Access by Controlled by authorizations assigned to user groups" above Serial Devices paragraph and press "Save"
2 Configure the Authentication Type to RADIUS/LOCAL in the Appliance Authentication sheet under Authentication Folder
Note: The "Enable fallback to Local type for root user in appliance console port" is optional, but it is strongly recommended.
VERY IMPORTANT NOTE: You could reverse the change selecting the Authentication Type to LOCAL in the Appliance Authentication. It is better to no close the administration session, especially if the device is located in a remote place ;)
3 Configure Authentication Servers (again under Authentication Folder) to use your ClearPass servers as RADIUS servers and enter necessary parameters, and then, press "Save". In this example, the Authentication Server and Accounting Server is the same machine.
Note: There is no need to enable the Service Type Attribute since the Group Authorization will be set.
4 OPTIONAL: Create a new Authorization Group to control serial access and permissions. Note: In this example, we named the Authorization Group as ‘RadiusAdmin’. If you want directly ALL the privileges you should use the predefined “admin” User Group
It is possible to assign the particular privileges using the CLI, however it is a bit tricky and a bit time consuming.
Now the Avocent device is also configured and it is time to try your new config.
Please, let me know if this how-to help you.
Anyway, this is the first approach to this problem, very common in my organization. If people liked, the howto improvements could be numerous: single sign on with the remote device console accessed will be the next one I understand it could be very interesting. Please, let me know your interest about possible how-to extensions (you could grant me Kudos, but it is only an idea ;)).
Ok, I have followed all the steps. However, when I login with my ClearPass authenticated AD login, Clearpass shows the right enforcement profile being followed and the enforcement policy applied, and I connect. However, when accessing the Avocent GUI I have VERY few of the options available. Also, when accessing via SSH to a terminal port using IPADDRESS:PORT I am NOT allowed access, nor do I see any entries in ClearPass reflecting the attempt.
Have you introduced the last optional step named 4?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.