Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

TACACS for Manegment Users on Aruba Controller not matching VSA

  • 1.  TACACS for Manegment Users on Aruba Controller not matching VSA

    Posted Jan 24, 2014 10:47 AM
      |   view attached

    Senario

    Useing TACACS for Mgnt user access I always get root access regardless of what is sent back from CPPM - read-only does not work as it should.

     

    I have a controller running AOS 6.1.34, Configured for TACACS to auth the mgmt users

     

    ----------------  AOS config --------------

     

    aaa authentication-server tacacs "10.254.5.21"
       host 10.254.5.21
       key b8059de7fd5ba7390bf9256f791c9d61d2b11b7e69e07117
       session-authorization

     

    !
    aaa authentication mgmt
       server-group "tacacs"
       enable
    !

     

    ----------  end AOS config -------\

     

    On ClearPass I can see the Auth request hit access tracker and I see that it is useing the standard [Aruba TACACS Read-Only Access] enforcement profile

     

    for a user that is not an admin I get full access when I log into the controller.   When I use an admin account it works as expected

     

    Questions:

     

    1. What is the logging to see the Admin user log in and the attributes sent back from ClearPass to confirm that the controller is receivig what Access tracker says is sent.

     

    2. Did I miss something in the config ?

     

     



  • 2.  RE: TACACS for Manegment Users on Aruba Controller not matching VSA

    Posted Jan 24, 2014 11:01 AM

    Did you add the TACACS server to the server group?

     

     Also, you can try enabling these debug commands:

     

    logging level debugging security process authmgr subcat aaa
    logging level debugging security process aaa subcat aaa

     

     

    show log security



  • 3.  RE: TACACS for Manegment Users on Aruba Controller not matching VSA

    Posted Jan 24, 2014 11:29 AM

    Yeah the CPPM is set up with a Shared Secret and the TACACS server on the controller is pointed to CPPM and under MNAAGMENT > Administration the TACACS is added as server Group  ( proved by the access tracker shows requests from the controller)

     

    I will check aaa logs



  • 4.  RE: TACACS for Manegment Users on Aruba Controller not matching VSA

    Posted Jan 24, 2014 11:46 AM

    so from the Security Logs you can see the itadmin get a VSA or root - and engineer gets a VSA of read-only but both users have full access to the WEB UI

     

     

    Is there a way to check and see the admin users like you can for the Wireless users - Show user  or show user internal shows nothing

     

     

     

     

    ----------  start clip -----------

     

    Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:440] tac_authen_pap_read: authentication ok
    Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:270] tac_author_pap_send: user 'itadmin'(mgmt user), tty 'tty0', rem_addr '172.16.199.165', encrypt: yes
    Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:341] tac_author_pap_send: written message of size 75
    Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:706] TACACS server 10.254.5.21-10.254.5.21-49 response on port 75
    Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:556] Total 1 args in author response
    Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:574] tac_author_pap_read: authorization ok
    Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:581] tac_author_pap_read: Aruba-Admin-Role: root
    Jan 21 05:35:27 :122020:  <DBUG> |authmgr| |aaa| [authen.c:595] tac_author_pap_read: Aruba-Admin-Role AVP created
    Jan 21 05:35:37 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:107] seq_num_timeout_handler: Freed 0 entries
    Jan 21 05:35:40 :126005:  <WARN> |wms| |ids| Interfering AP: The system classified an access point (BSSID 24:de:c6:55:ad:98 and SSID dba7c7ce8f87f3aa0953b14a613c55a on CHANNEL 36) as interfering. Additional Info: Detector-AP-Name:d8:c7:c8:ca:1e:01; Detector-AP-MAC:d8:c7:c8:21:e0:18; Detector-AP-Radio:1.
    Jan 21 05:35:41 :126005:  <WARN> |wms| |ids| Interfering AP: The system classified an access point (BSSID 24:de:c6:55:ad:9a and SSID employee202-70 on CHANNEL 36) as interfering. Additional Info: Detector-AP-Name:d8:c7:c8:ca:1e:01; Detector-AP-MAC:d8:c7:c8:21:e0:18; Detector-AP-Radio:1.
    Jan 21 05:35:47 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:107] seq_num_timeout_handler: Freed 0 entries
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:91] tac_authen_pap_send: user 'engineer'(mgmt user), tty 'tty0', rem_addr '172.16.199.165', encrypt: yes
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:162] tac_authen_pap_send: written message of size 51
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:706] TACACS server 10.254.5.21-10.254.5.21-49 response on port 75
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:440] tac_authen_pap_read: authentication ok
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:270] tac_author_pap_send: user 'engineer'(mgmt user), tty 'tty0', rem_addr '172.16.199.165', encrypt: yes
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:341] tac_author_pap_send: written message of size 76
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:706] TACACS server 10.254.5.21-10.254.5.21-49 response on port 75
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:556] Total 1 args in author response
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:574] tac_author_pap_read: authorization ok
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:581] tac_author_pap_read: Aruba-Admin-Role: read-only
    Jan 21 05:35:51 :122020:  <DBUG> |authmgr| |aaa| [authen.c:595] tac_author_pap_read: Aruba-Admin-Role AVP created
    Jan 21 05:35:57 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:107] seq_num_timeout_handler: Freed 0 entries
    Jan 21 05:36:37 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:107] seq_num_timeout_handler: Freed 0 entries

     

    ------------  end clip ---------



  • 5.  RE: TACACS for Manegment Users on Aruba Controller not matching VSA

    Posted Jan 24, 2014 12:20 PM

    You can try: 

     

    show loginsessions

     

     

    (south-7240-local1) #show loginsessions
    
    Session Table
    -------------
    ID  User Name  User Role  Connection From  Idle Time  Session Time
    --  ---------  ---------  ---------------  ---------  ------------
    1   cappalli   root       129.x.x.x      00:00:00   00:23:17

     



  • 6.  RE: TACACS for Manegment Users on Aruba Controller not matching VSA

    Posted Jan 24, 2014 12:47 PM

    interesting  after a reboot of the controller the read-only access restrictions are working

     

    Before they were not

     

    but you can see that CPPM is sending back the right VSA - role

     

     

     

    ----------  clip from cli ----------

     

    (P3Controller1) #show loginsessions

    Session Table
    -------------
    ID  User Name  User Role  Connection From  Idle Time  Session Time
    --  ---------  ---------  ---------------  ---------  ------------
    1   admin      root       EIA-232          00:00:00   00:00:31
    2   itadmin    root       172.16.199.249   00:00:00   00:00:47

    (P3Controller1) #show loginsessions

    Session Table
    -------------
    ID  User Name  User Role  Connection From  Idle Time  Session Time
    --  ---------  ---------  ---------------  ---------  ------------
    1   admin      root       EIA-232          00:00:00   00:02:02
    2   engineer   read-only  172.16.199.249   00:00:09   00:00:58

    (P3Controller1) #show loginsessions

    Session Table
    -------------
    ID  User Name  User Role  Connection From  Idle Time  Session Time
    --  ---------  ---------  ---------------  ---------  ------------
    1   admin      root       EIA-232          00:00:00   00:04:11
    2   test       read-only  172.16.199.249   00:00:12   00:00:22

    (P3Controller1) #

     

    ----------  end clip ---------



  • 7.  RE: TACACS for Manegment Users on Aruba Controller not matching VSA

    Posted Jul 29, 2015 02:09 PM

    i m also facing the same issue but with cisco ACS server. On Aruba controllers user getting  Root access only. Apart from reboot is there any other way to solve this issye


    @kkutz@kutztraining.com wrote:

    interesting  after a reboot of the controller the read-only access restrictions are working

     

    Before they were not

     

    but you can see that CPPM is sending back the right VSA - role

     

     

     

    ----------  clip from cli ----------

     

    (P3Controller1) #show loginsessions

    Session Table
    -------------
    ID  User Name  User Role  Connection From  Idle Time  Session Time
    --  ---------  ---------  ---------------  ---------  ------------
    1   admin      root       EIA-232          00:00:00   00:00:31
    2   itadmin    root       172.16.199.249   00:00:00   00:00:47

    (P3Controller1) #show loginsessions

    Session Table
    -------------
    ID  User Name  User Role  Connection From  Idle Time  Session Time
    --  ---------  ---------  ---------------  ---------  ------------
    1   admin      root       EIA-232          00:00:00   00:02:02
    2   engineer   read-only  172.16.199.249   00:00:09   00:00:58

    (P3Controller1) #show loginsessions

    Session Table
    -------------
    ID  User Name  User Role  Connection From  Idle Time  Session Time
    --  ---------  ---------  ---------------  ---------  ------------
    1   admin      root       EIA-232          00:00:00   00:04:11
    2   test       read-only  172.16.199.249   00:00:12   00:00:22

    (P3Controller1) #

     

    ----------  end clip ---------