Cloud Managed Networks

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.

Hi Alon,

IMHO there are two possibilities:

1. Try 'aaa authentication allow-fail-through'
2. Remove 'aaa authorization commands default group CP-Server-Group local' as long as you have to upgrade your switches and try again with command authorization later.

We use the same constellation without any issues.

If it does not help do it like Carson already mentioned: call TAC.

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.

Hi,
Thank you both.

I tried your second suggestion, and it worked.
I was wondering if there's any reason to get it back. Trying to understand the consequences if I leave it like this.

About your first suggestion, would it fall back on the authentication as well ? meaning, Clearpass is available, and it would fall back to the local users to access the switch?

Hi Alon,

IMHO there are two possibilities:

1. Try 'aaa authentication allow-fail-through'
2. Remove 'aaa authorization commands default group CP-Server-Group local' as long as you have to upgrade your switches and try again with command authorization later.

We use the same constellation without any issues.

If it does not help do it like Carson already mentioned: call TAC.

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.

Hi Alon,

if you don't need authorization of commands, i.e. there are no users who are only allowed to use certain commands, you can leave it out.

Fail-through means that even if TACACS answered with allow or deny the switch will go through all authentication targets you specified with 'aaa authentication login default group'. Without fail-through the switch would do this only if TACACS fails to answer ...

Hi,
Thank you both.

I tried your second suggestion, and it worked.
I was wondering if there's any reason to get it back. Trying to understand the consequences if I leave it like this.

About your first suggestion, would it fall back on the authentication as well ? meaning, Clearpass is available, and it would fall back to the local users to access the switch?

Hi Alon,

IMHO there are two possibilities:

1. Try 'aaa authentication allow-fail-through'
2. Remove 'aaa authorization commands default group CP-Server-Group local' as long as you have to upgrade your switches and try again with command authorization later.

We use the same constellation without any issues.

If it does not help do it like Carson already mentioned: call TAC.

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.

Thanks again for your reply.

I have another thing, maybe you could clarify for me.

If Aruba Central uses my "admin" local user, adding this user to Active Directory as a user with permissions could fix the problem as well? 

Hi Alon,

if you don't need authorization of commands, i.e. there are no users who are only allowed to use certain commands, you can leave it out.

Fail-through means that even if TACACS answered with allow or deny the switch will go through all authentication targets you specified with 'aaa authentication login default group'. Without fail-through the switch would do this only if TACACS fails to answer ...

Hi,
Thank you both.

I tried your second suggestion, and it worked.
I was wondering if there's any reason to get it back. Trying to understand the consequences if I leave it like this.

About your first suggestion, would it fall back on the authentication as well ? meaning, Clearpass is available, and it would fall back to the local users to access the switch?

Hi Alon,

IMHO there are two possibilities:

1. Try 'aaa authentication allow-fail-through'
2. Remove 'aaa authorization commands default group CP-Server-Group local' as long as you have to upgrade your switches and try again with command authorization later.

We use the same constellation without any issues.

If it does not help do it like Carson already mentioned: call TAC.

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.

Do you really see TACACS requests with user admin and remote IP from Central in Clearpass? Normally, Central uses REST API for altering switch configuration. 

I tried even a firmware upgrade after removing fail-through and there was no request to Clearpass. I dare the command authorization was your main problem.

Thanks again for your reply.

I have another thing, maybe you could clarify for me.

If Aruba Central uses my "admin" local user, adding this user to Active Directory as a user with permissions could fix the problem as well? 

Hi Alon,

if you don't need authorization of commands, i.e. there are no users who are only allowed to use certain commands, you can leave it out.

Fail-through means that even if TACACS answered with allow or deny the switch will go through all authentication targets you specified with 'aaa authentication login default group'. Without fail-through the switch would do this only if TACACS fails to answer ...

Hi,
Thank you both.

I tried your second suggestion, and it worked.
I was wondering if there's any reason to get it back. Trying to understand the consequences if I leave it like this.

About your first suggestion, would it fall back on the authentication as well ? meaning, Clearpass is available, and it would fall back to the local users to access the switch?

Hi Alon,

IMHO there are two possibilities:

1. Try 'aaa authentication allow-fail-through'
2. Remove 'aaa authorization commands default group CP-Server-Group local' as long as you have to upgrade your switches and try again with command authorization later.

We use the same constellation without any issues.

If it does not help do it like Carson already mentioned: call TAC.

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.

It wasn't on the Access tracker. 
I see it in the "Event Viewer".
You can see here the message :

 There are some commands that trigger the Central to do it with the local admin user.
I even open a TAC request and the said it is true, here is a quote from this case:
"

1.Commands like reboot, firmware upgrade, and certain configuration changes are considered system-level operations.

2.Aruba Central often executes these using the local admin account because it guarantees full access without relying on external authentication servers like TACACS

3.Aruba Central automates tasks using pre-defined roles and credentials.

4.If the switch is configured to use TACACS for command authorization, and Central tries to execute commands as admin, the mismatch causes failures unless admin is explicitly allowed in ClearPass.

"

Do you really see TACACS requests with user admin and remote IP from Central in Clearpass? Normally, Central uses REST API for altering switch configuration. 

I tried even a firmware upgrade after removing fail-through and there was no request to Clearpass. I dare the command authorization was your main problem.

Thanks again for your reply.

I have another thing, maybe you could clarify for me.

If Aruba Central uses my "admin" local user, adding this user to Active Directory as a user with permissions could fix the problem as well? 

Hi Alon,

if you don't need authorization of commands, i.e. there are no users who are only allowed to use certain commands, you can leave it out.

Fail-through means that even if TACACS answered with allow or deny the switch will go through all authentication targets you specified with 'aaa authentication login default group'. Without fail-through the switch would do this only if TACACS fails to answer ...

Hi,
Thank you both.

I tried your second suggestion, and it worked.
I was wondering if there's any reason to get it back. Trying to understand the consequences if I leave it like this.

About your first suggestion, would it fall back on the authentication as well ? meaning, Clearpass is available, and it would fall back to the local users to access the switch?

Hi Alon,

IMHO there are two possibilities:

1. Try 'aaa authentication allow-fail-through'
2. Remove 'aaa authorization commands default group CP-Server-Group local' as long as you have to upgrade your switches and try again with command authorization later.

We use the same constellation without any issues.

If it does not help do it like Carson already mentioned: call TAC.

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.

Ok, understood,

So, that means the switch tries to do command authorization for commands that are executed by a local user. Questionable if this works as intended ...

Did you have an opportunity to upgrade the firmware of your switches?

But again: if you do not need or use command authorization just leave it out of the configuration ...

It wasn't on the Access tracker. 
I see it in the "Event Viewer".
You can see here the message :

 There are some commands that trigger the Central to do it with the local admin user.
I even open a TAC request and the said it is true, here is a quote from this case:
"

1.Commands like reboot, firmware upgrade, and certain configuration changes are considered system-level operations.

2.Aruba Central often executes these using the local admin account because it guarantees full access without relying on external authentication servers like TACACS

3.Aruba Central automates tasks using pre-defined roles and credentials.

4.If the switch is configured to use TACACS for command authorization, and Central tries to execute commands as admin, the mismatch causes failures unless admin is explicitly allowed in ClearPass.

"

Do you really see TACACS requests with user admin and remote IP from Central in Clearpass? Normally, Central uses REST API for altering switch configuration. 

I tried even a firmware upgrade after removing fail-through and there was no request to Clearpass. I dare the command authorization was your main problem.

Thanks again for your reply.

I have another thing, maybe you could clarify for me.

If Aruba Central uses my "admin" local user, adding this user to Active Directory as a user with permissions could fix the problem as well? 

Hi Alon,

if you don't need authorization of commands, i.e. there are no users who are only allowed to use certain commands, you can leave it out.

Fail-through means that even if TACACS answered with allow or deny the switch will go through all authentication targets you specified with 'aaa authentication login default group'. Without fail-through the switch would do this only if TACACS fails to answer ...

Hi,
Thank you both.

I tried your second suggestion, and it worked.
I was wondering if there's any reason to get it back. Trying to understand the consequences if I leave it like this.

About your first suggestion, would it fall back on the authentication as well ? meaning, Clearpass is available, and it would fall back to the local users to access the switch?

Hi Alon,

IMHO there are two possibilities:

1. Try 'aaa authentication allow-fail-through'
2. Remove 'aaa authorization commands default group CP-Server-Group local' as long as you have to upgrade your switches and try again with command authorization later.

We use the same constellation without any issues.

If it does not help do it like Carson already mentioned: call TAC.

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.

I tried to upgrade it.
This is how I encountered this problem. The upgrade procedure is one of the commands he tries to get Authorization approved for from the TACACS.

When I deleted the TACACS commands, it was successfully upgraded.
By the way, Your advise of adding this command: "Try 'aaa authentication allow-fail-through"
was helpfull.
Only I used this command with the keyword 'Authorization' instead of 'Authentication'.

Ok, understood,

So, that means the switch tries to do command authorization for commands that are executed by a local user. Questionable if this works as intended ...

Did you have an opportunity to upgrade the firmware of your switches?

But again: if you do not need or use command authorization just leave it out of the configuration ...

It wasn't on the Access tracker. 
I see it in the "Event Viewer".
You can see here the message :

 There are some commands that trigger the Central to do it with the local admin user.
I even open a TAC request and the said it is true, here is a quote from this case:
"

1.Commands like reboot, firmware upgrade, and certain configuration changes are considered system-level operations.

2.Aruba Central often executes these using the local admin account because it guarantees full access without relying on external authentication servers like TACACS

3.Aruba Central automates tasks using pre-defined roles and credentials.

4.If the switch is configured to use TACACS for command authorization, and Central tries to execute commands as admin, the mismatch causes failures unless admin is explicitly allowed in ClearPass.

"

Do you really see TACACS requests with user admin and remote IP from Central in Clearpass? Normally, Central uses REST API for altering switch configuration. 

I tried even a firmware upgrade after removing fail-through and there was no request to Clearpass. I dare the command authorization was your main problem.

Thanks again for your reply.

I have another thing, maybe you could clarify for me.

If Aruba Central uses my "admin" local user, adding this user to Active Directory as a user with permissions could fix the problem as well? 

Hi Alon,

if you don't need authorization of commands, i.e. there are no users who are only allowed to use certain commands, you can leave it out.

Fail-through means that even if TACACS answered with allow or deny the switch will go through all authentication targets you specified with 'aaa authentication login default group'. Without fail-through the switch would do this only if TACACS fails to answer ...

Hi,
Thank you both.

I tried your second suggestion, and it worked.
I was wondering if there's any reason to get it back. Trying to understand the consequences if I leave it like this.

About your first suggestion, would it fall back on the authentication as well ? meaning, Clearpass is available, and it would fall back to the local users to access the switch?

Hi Alon,

IMHO there are two possibilities:

1. Try 'aaa authentication allow-fail-through'
2. Remove 'aaa authorization commands default group CP-Server-Group local' as long as you have to upgrade your switches and try again with command authorization later.

We use the same constellation without any issues.

If it does not help do it like Carson already mentioned: call TAC.

Hi all,
I have some issue with integration between Central and TACACS access for the switches.

I have login access with TACACS for my switches - Clearpass is used as TACACS server.
Aruba Central is trying to access with my admin local user. Most things are working properly. 
The problem is that there are some commands that the switch is swending to the Clearpass for authorization approval. And since the admin user is not a valid user for the the Clearpass. It rejects the command.

The biggest problem is that I can't upgrade the switch, as one of the commands that ClearPass rejects is related to the upgrade procedure.

Here are my TACACS commands:
tacacs-server host X.X.X.X key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.Y key ciphertext AQBapWe0BB8QSs2liwjXXnbwEu21yBMoZptuP193OCvoYmBwCAAAAOaFePFRBeYe
tacacs-server host X.X.X.X vrf mgmt
tacacs-server host X.X.X.Y vrf mgmt
!
aaa group server tacacs CP-Server-Group
    server 10.213.3.130 vrf mgmt
    server 10.213.3.120 vrf mgmt
!
!
aaa authentication login console group local
aaa authentication login default group CP-Server-Group local
aaa authorization commands console group local
aaa authorization commands default group CP-Server-Group local
aaa accounting all-mgmt default start-stop group CP-Server-Group
! 

Thanks for your help.