last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

TACACS Auth Against AD with Local Database backup.

  • 1.  TACACS Auth Against AD with Local Database backup.

    Posted Nov 04, 2019 11:07 AM

    I currently have my network devices configured to point to Clearpass for TACACS auth to allow users to access and manage routers/switch.  Clearpass will get the AAA request and send it to the Windows DC to validate the windows creds.  I ran into a problem where the Clearpass to Domain Controller communication was broken.  As a result, I couldn't authenticate properly to gain access to my network gear.  At the same time, my network gear wouldn't let me use a local account on the gear because from it's perspective the AAA Server was up.  How can I create an account local to the clearpass server that we can use in the event communication between the Clearpass and Domain controllers are down. 

  • 2.  RE: TACACS Auth Against AD with Local Database backup.

    Posted Nov 04, 2019 11:55 AM

    Hello ncustod,


    In this case, what you could do is, have a backup server configured for the AD in the Authsources. two things might happen if the primary authsource (AD) goes down.


    1. If Clearpass is not able to establish a TCP session, with the AD. It will realise that the AD is down and will move on to the backup AD right away and the auth will work.

    2. If Clearpass is able to establish the TCP session. in this case, you could configure the Authentication server timeout to 2 secs, in the Authentication sources on Clearpass.  default is 10 seconds, it will timeout at 2 seconds and perform auth with the backup server.


    You cannot use, Local creds on Clearpass, automatically upon the failure. the only automatic redundancy is mentioned as above. Alternatively, if you are ok with manaul intervention, if the users are failing AD auth, you could create the local user accounts for them on the devices directly or on the clearpass,  Users can use local creds on the devices to login, when AD auth for them doesnt work. For the users created on the Clearpass you will need to do some configuration change on the clearpass.

  • 3.  RE: TACACS Auth Against AD with Local Database backup.

    Posted Nov 08, 2019 09:51 AM

    So I can't create a local user account. 

    Add local (local user repository) DB as an authentication source under the TACACS service then create a role for that condition and position it at number one?