Security

last person joined: 21 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).

Clearpass with Arista CVP

This thread has been viewed 1 times
  • 1.  Clearpass with Arista CVP

    Posted Jan 07, 2019 10:58 AM

    Hi Community,

     

    i want to share with you the feedback how to get CVP (Cloudvision Portal) running with CPPM (6.7) over Tacacs+ Service. Normally you get the network-operator role if you successfully authenticate. If you need the network-admin cvp-role you need to follow these steps:

     

    Pre-Konfig:

    You have CVP configured with shared secret to CPPM

     

    Now, create a Tacacs Dictonary "Addon" to the shell.

     

    Go to Administration-> Dictonarys -> Tacacs+ Services. Mark the "shell" and Export the XML.

     

    Add the follow line

     

    <ServiceAttribute allowedValuesCsv="network-admin" dataType="String" dispName="cvp-roles" name="cvp-roles"/>

     

    above the last one:

     

       </TacacsServiceDictionary>
      </TacacsServiceDictionaries>
    </TipsContents>

     

    so it looks like:

    ...truncated...

          <ServiceAttribute allowedValuesCsv="network-admin" dataType="String" dispName="cvp-roles" name="cvp-roles"/>
        </TacacsServiceDictionary>
      </TacacsServiceDictionaries>
    </TipsContents>

     

    in the end.

    Import those XML again and make sure CPPM got it. Then Create a Tacacs+ Enforcement Profile that looks like this:

    cvp.PNG

    Be careful that you use REPLACE, otherwise it will be the default operator.

    Add this enforcement to you Tacacs Service or create a new one only for CVP.

     

    Ill hope this helps. If you want to extend the system with more roles you have to add more XML Lines, each one for a new role that matches the cvp role.

     

    Thanks to Aruba/Arista TAC.