Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass TACACS+ Login for Cisco ACI Fabric

This thread has been viewed 33 times
  • 1.  ClearPass TACACS+ Login for Cisco ACI Fabric

    MVP
    Posted Feb 18, 2021 02:30 PM
    Hi all,

    We are deploying Cisco's ACI Fabric and wanted to setup TACACS+ login using ClearPass, but struggling to figure out the proper TACACS+ response for the environment. We don't have any custom roles in ACI, here is what we were able to find in the ACI config:

     rbac role "ops"

        priv ops

        exit

      rbac role "nw-svc-admin"

        priv nw-svc-device,nw-svc-devshare,nw-svc-policy

        exit

      rbac role "nw-svc-params"

        priv nw-svc-params

        exit

      rbac role "admin"

        priv admin

        exit

    We have a working Cisco Prime Infrastructure environment leveraging RADIUS login and they reference NCS Roles, which includes:

    Radius:Cisco Cisco-AVPair = NCS:role0=Help desk Admin

    I tried setting up a similar profile referring to RBAC Roles such as:

    Shell cisco-av-pair = rbac:role=admin

    Unfortunately this did not work. Does anybody have experience with ACI TACACS+ setup in ClearPass?

    Thanks for the help!

    ------------------------------
    Michael Haring
    ------------------------------


  • 2.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric
    Best Answer

    MVP
    Posted Feb 19, 2021 02:26 AM

    Hi Michael,

    I don't have much experience with Cisco ACI, however what i would suggest is to Import Radius Dictionary of the ACI in the Radius Dictionary on Clearpass, under Administration > Dictionaries > RADIUS.
    From what i saw on ISE with ACI Integration, TACACS External Logging is configured through REST API, where you create a destination group:

    Maybe this link can be helpfull: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/rest_cfg/2_1_x/b_Cisco_APIC_REST_API_Configuration_Guide.pdf
    and
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Configuring_TACACS_RADIUS_LDAP_for_ACI_Access.html#task_D0D8572AB60745F1BFEFE0A2800A1749

    Also, when configuring with ISE usually the assigned role has a shell command of:

    shell:domains = all/admin/
    or
    shell:domains = all/read-all/

    Hope this might have been helpfull.



    ------------------------------
    Shpat Berzati
    Network & Systems Integrator
    InterAdria
    Prishtina Kosovo
    +38345945000
    ------------------------------



  • 3.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    MVP
    Posted Feb 19, 2021 09:44 AM
    That worked, that was the exact documentation I needed. Thanks for the help!

    ------------------------------
    Michael Haring

    Kudos is always appreciated!
    ------------------------------



  • 4.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    Posted Oct 05, 2022 10:45 AM
    Hello,
    How did your enforcement profile ended up looking? i'm really struggling , got it to work with ISE and regular windows NPS. but not with clearpass..


  • 5.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    MVP
    Posted Oct 05, 2022 11:09 AM
    Our enforcement profile is Priv level 1 (normal), Selected services = Shell, Authorize attribute status = Add, then in the lower portion, it is Shell cisco-av-pair = shell:domains=all/admin/

    Hopefully that helps!

    ------------------------------
    Michael Haring
    ------------------------------



  • 6.  RE: ClearPass TACACS+ Login for Cisco ACI Fabric

    Posted Oct 05, 2022 11:14 AM
    Thanks :) i actually Just made it work earlier today :)


    Get Outlook for Android<https: aka.ms/ghei36="">