Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Authorization using TACACS+

This thread has been viewed 30 times
  • 1.  Authorization using TACACS+

    Posted May 18, 2023 09:22 AM

    Attempting to use TACACS for authenticate/authorization with our OpenGear console server. I am able to Authenticate without issues but Authorization keep failing. I am getting message that raccess is not enabled, and no enforcement profiles matched to perform command authorization. I have created enforcement profile though using raccess service. Screenshots below are from Access Tracker session details:


    Appreciate any help that can be provide.



  • 2.  RE: Authorization using TACACS+

    Posted May 18, 2023 10:03 AM

    Is the Service not enabled?




  • 3.  RE: Authorization using TACACS+

    Posted May 18, 2023 12:17 PM

    Service is enabled and just realized I am getting authorization to work for the group I want it to but when a user who should not be able to access device attempts to they are getting authenticated and though authorization is failing, and they are able to access the device. They get assigned [other] role and TACACS+ deny Profile should be enforced. 




  • 4.  RE: Authorization using TACACS+

    Posted May 18, 2023 01:59 PM

    Based on that screenshot, ClearPass is responding with the Deny.  So the OpenGear seems not to be listening to that or doesn't know what to do with it.  What do the OpenGear logs say?  What TACACS+ attributes does the OpenGear require?




  • 5.  RE: Authorization using TACACS+

    Posted May 20, 2023 10:58 AM

    Make sure to enable the "Use Remote Groups"  in the Authentication section of the Serial & Network configuration.

     

     

    Chris Hart

     






  • 6.  RE: Authorization using TACACS+

    Posted May 22, 2023 06:57 AM

    Thank you, was a setting on OpenGear that needed to be made. They had a a netgrp that automatically provided admin permissions, once group was disabled authorization was working.