Security

last person joined: 13 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Drop Cisco IOS user directly in to priv 15 / enable mode w/ ClearPass

Jump to Best Answer
  • 1.  Drop Cisco IOS user directly in to priv 15 / enable mode w/ ClearPass

    Posted Dec 10, 2020 08:10 PM

    Hi there,

    I am attempting to create a service within ClearPass that permits or denies certain commands for Cisco IOS users using TACACs.

    The command Authorization works great, some commands are permitted, some are denied.

    But my issues is that I can't get users to be dropped directly in to priv 15 / enabled mode like I am able to with Cisco ISE.

    Switch Config:

    aaa group server tacacs+ CLEARPASS-TACACS
    server name CLEARPASS1
    server name CLEARPASS2
    ip vrf forwarding NMS
    ip tacacs source-interface Vlan10
    !
    aaa authentication login default group CLEARPASS-TACACS local
    aaa authentication enable default group CLEARPASS-TACACS enable
    aaa authorization config-commands
    aaa authorization exec deafult group CLEARPASS-TACACS local if-authenticated
    aaa authorization commands 1 default group CLEARPASS-TACACS local if-authenticated
    aaa authorization commands 15 default group CLEARPASS-TACACS local if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group CLEARPASS-TACACS
    aaa accounting commands 15 default start-stop group CLEARPASS-TACACS
    aaa accounting connection default start-stop group CLEARPASS-TACACS
    aaa accounting system default start-stop group CLEARPASS-TACACS
    !
    tacacs server CLEARPASS1
    address ipv4 10.0.10.22
    key 7 xxxxxx
    tacacs server CLEARPASS2
    address ipv4 10.0.10.21
    key 7 xxxxxx
    !
    !
    !
    !
    line con 0
    line vty 5 15

    Below is the Enforcement Profile that my user is hitting:

    Aruba ClearPass Cisco IOS TACACs Profile
    I ran a 'debug AAA Authorization' on the Cisco switch.
    Lines 1 and 2 are displayed when I log in (still in user exec priv1).
    Lines 3 - 7 are displayed when I type 'enable' and successfully enter my password

    1 Mar 30 04:17:26.400: AAA/BIND(0000002D): Bind i/f
    2 Mar 30 04:17:26.467: AAA/AUTHOR (0000002D): Method list id=0 not configured. Skip author
    3 Mar 30 04:17:28.656: AAA/AUTHOR: auth_need : user= 'jdoe' ruser= 'switch2'rem_addr= '10.0.0.52' priv= 0 list= '' AUTHOR-TYPE= 'commands'
    4 Mar 30 04:17:28.656: AAA: parse name=tty3 idb type=-1 tty=-1
    5 Mar 30 04:17:28.656: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
    6 Mar 30 04:17:28.665: AAA/MEMORY: create_user (0x40B03A4) user='jdoe' ruser='NULL' ds0=0 port='tty3' rem_addr='10.0.0.52' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
    7 Mar 30 04:17:31.248: AAA/MEMORY: free_user (0x40B03A4) user='jdoe' ruser='NULL' port='tty3' rem_addr='10.0.0.52' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)​


    Anybody able to tell me what I am missing?

    I only want users of THIS Enforcement profile to be granted Priv 15 immediately. I have other users which I am happy for them to stay locked down in Priv 1, as that is all they are granted.




    ------------------------------
    Regards,

    BrettVerney
    ------------------------------


  • 2.  RE: Drop Cisco IOS user directly in to priv 15 / enable mode w/ ClearPass

    Posted Dec 13, 2020 06:25 PM
    It might be that despite your TACACS attribute the switch is only applying priv level 1. Could you double check the value that IOS is expecting to see in the response e.g. case sensitive? If it is incorrect then the switch might be silently ignoring that attribute.






  • 3.  RE: Drop Cisco IOS user directly in to priv 15 / enable mode w/ ClearPass
    Best Answer

    Posted 13 days ago
    OK this is embarrassing.

    There was a typo trying to reference one of the default method lists:

    aaa authorization exec deafult group CLEARPASS-TACACS local if-authenticated​

    I spelt 'default' wrong, so it was looking for a method list that didn't exist!

    I fixed this and now users are dropped in to the correct privilege level.

    -Brett

    ------------------------------
    Regards,

    BrettVerney
    ------------------------------