Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass VS Cisco ACS/ISE - TACACS

  • 1.  Clearpass VS Cisco ACS/ISE - TACACS

    Posted Jun 01, 2020 05:03 AM

    Hi All, 

     

    In Cisco ACS/ISE, enable password is configured other the local username. Its simply a option there. 

     

    In Clearpass 6.7 (which i have in my lab) we have to create 2 authentication sources (if we want enable and user password to be different). Need to ask if its changed for the better in 6.9? or we have to follow the exact some workflow? 

     

    I am currently doing a PoC and customer is surprised as to why this is not possible with Clearpass



  • 2.  RE: Clearpass VS Cisco ACS/ISE - TACACS

    Posted Jun 02, 2020 03:15 AM

    It is not possible to enter two passwords for an internal user in 6.9, so you can achieve the goal with two authentication sources (and two separate services) as you mentioned.

     

    We see most customers moving away from the additional enable password as the end-user experience is poor (why enter 2 passwords) and it is not supported an all equipment which makes it hard to implement the same access procedure everywhere.

     

    Please share your thoughts on this with your local Aruba SE, here, and/or open an Innovation Zone request.



  • 3.  RE: Clearpass VS Cisco ACS/ISE - TACACS

    Posted Jun 02, 2020 03:27 AM
    Dear Herman,

    I would defend Clearpass way by saying its more secure to have 2 passwords
    save at 2 different locations giving you the benefit that if one auth
    source is compromised, the core switch/boxes are not compromised.

    But cisco pets moving from acs will follow the workflow regardless what you
    tell them.


  • 4.  RE: Clearpass VS Cisco ACS/ISE - TACACS

    Posted Jun 02, 2020 01:38 PM

    Well, if it is this kind of customer, there is only one option. go to the next customer who is open for a discussion with someone who knows what to do. 

     

    I know it is hard, but to be honest, if you are in such a customer situation, why should this customer ever buy something different then cisco so your valuable time is wasted. 

     

    Nevertheless, I hope you are able to convince the customer and show him the benefits of ClearPass in comparison to competitive products. 

     

    just my 2cents



  • 5.  RE: Clearpass VS Cisco ACS/ISE - TACACS

    Posted Jun 02, 2020 02:20 PM
    I totally agree, but this statement was not specifically targeted for this
    customer (atleast for now :)) since they are evaluating with us and lets
    see how it settles down.

    But for Clearpass Team, i dont think its much of a deal to give enable
    password option so that ppl migrating from ACS could feel at home. I would
    blame (cough) CPPM team too for this :). They shouldnt be too rigid to roll
    out basic things as this.