Security

 View Only
last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

TACACS + cppm VIP = no Access Tracker logging

This thread has been viewed 15 times
  • 1.  TACACS + cppm VIP = no Access Tracker logging

    MVP EXPERT
    Posted Jan 25, 2022 09:18 AM
    Hi,
    I use  TACACS to auth to our Airwave  appliance and our switches. using CPPM 6.10.2

    This all works just fine when I point the devices at the IP address associated with the mgmt interface on our cluster  members and I can see entries in  Access-Tracker for my TACACS logins.

    I'm now looking at configuring  TACACS+ auth for all our  ArubaOS 6.5 mobility controllers using  clearpass VIPs  instead of  the interface  IP addresses. This also works but I'm unable to  see any access-tracker  entries for the auths

    1). In the  service list I can see the hit count for my mobility controller tacacs service incrementing  every time I log onto my test controller
    2). In Monitoring/Accounting I can see and entry for my  cppm (admin) username
    3). No entry in Access-Tracker for my auth request

    Access-tracker is set to display all auths from all cluster members

    I'm going to test this  by  setting up the controller to use a physical ip address, but do suspect I'll then see  the auth records in access tracker ... unless there's another config item  that needs changing

    A

    ------------------------------
    Alex Sharaz
    ------------------------------


  • 2.  RE: TACACS + cppm VIP = no Access Tracker logging

    MVP EXPERT
    Posted Jan 25, 2022 09:26 AM
    ... and changing to using  an interface IP has made no difference, still cant see an access tracker record for  the mobility controller

    ------------------------------
    Alex Sharaz
    ------------------------------



  • 3.  RE: TACACS + cppm VIP = no Access Tracker logging

    EMPLOYEE
    Posted Jan 26, 2022 07:30 AM
    Could it be that you have selected the Access Tracker on a specific node, or zone which does not include the server where the TACACS+ authentication ends up on?
    If you can authenticate, and it does not show in Access Tracker, that is something I would worry about. If there are no filters active, and you are sure that you see the Access Tracker for the node where the authentication happens, please open a TAC case.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: TACACS + cppm VIP = no Access Tracker logging

    MVP EXPERT
    Posted Jan 26, 2022 08:11 AM
    Replicated service on home system, same clearpass config   But against an ArubaOS 8.9  MM/md setup ... works just fine 

    Access tracker shows. Tacacs for other services , just not this one 

    Also noticed that if I want to crest a new service , instead of. Being asked to select service type , it hits direct to. Configuring a radius one 

    A

    Sent from my iPhone





  • 5.  RE: TACACS + cppm VIP = no Access Tracker logging

    EMPLOYEE
    Posted Jan 31, 2022 10:02 AM
    Could it be that you don't have active Access Licenses? TACACS+ requires Access Licenses.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: TACACS + cppm VIP = no Access Tracker logging

    MVP EXPERT
    Posted Jan 31, 2022 10:06 AM
    Nope,

    Lots of active access licenses

    Going to raise a TAC case after I’ve upgraded to 6.10.3 tomorrow


    Could be something really silly

    A




  • 7.  RE: TACACS + cppm VIP = no Access Tracker logging

    MVP EXPERT
    Posted Feb 03, 2022 11:01 AM
    Annoyingly, upgraded from 6.10.2 -> 6.10.3 …… and TACACS auth from the controller are now visible in Acces-Tracker.

    Whether it was the reboot that did it or the upgrade, don’t know but everything working fine now … well from a TACACS point of view
    A