Security

 View Only

  • 1.  clearpass admin access with TACACS authentication

    Posted Jan 18, 2023 06:00 AM

    Hi 
    we need to authenticate the admin access to clearpass via TACACS+ (external) server. Today we use an external LDAP / AD server, which works fine, but this implementation does not support (in our setup) 2FA/MFA .  So the tacacs server is integrated with a 2FA solution (gemalto), used by many other network devices (switches, router, airwave, AOS8 etc)

    We found the tacacs configuration in "server configuration" - "cluster wide parameters" 
    a few questions
    - only 1 tacacs server is supported? (really ?) No redundant setup possible (we have multiple independant tacacs server - no VIP)
    - what additional configuration is needed, i assume some changes on the services for admin access ? But how exactly? I couldn't find an e2e explanation on airheads 
    - the local admin always keeps working, even if the tacacs server is responding. This is a weird solution, as it is possible to bypass normal authentication any time (a standard behavior would be when the tacacs server is responding, the local admin accounts can't be used, as implemented in many other products)
    - what other solutions are possible for 2FA/MFA (admin access to clearpass). i.e. integration with AAD possible ? Any practical reference document ?

    I know - a lot of questions - so many thanks for your support !



    ------------------------------
    Danny Bosman
    KBC Group - Belgium
    ------------------------------


  • 2.  RE: clearpass admin access with TACACS authentication

    Posted Jan 18, 2023 07:07 AM
    Hi

    One of the news in ClearPass 6.11 is the option to configure multiple TACACS+ server addresses instead of just one.
    The TACACS+ server must send the correct attributes back to ClearPass, compare with the standard enforcement profiles for administrative login i.e. [TACACS Super Admin].
    If you have custom admin privileges you have to return the matching names.
    Yes, local authentication is still working. In the use case where I have utilized this it has been good. As a service provider I send authentications back to uor ClearPass, but sometimes local technicians within the customer network must be able to authenticate as well to get a read only role in ClearPass.
    But I agree, it could be an option at least to not allow local authentication as long as the TACACS server is available

    I have only tested to utilize this to other ClearPass servers and not with 2FA/MFA scenarios.

    For Admin logon with smart card I have integrated with ADFS or utilized ClearPass as the IdP for SAML authentication.
    If you have smart card this may be the easiest way to get 2FA/MFA.

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 3.  RE: clearpass admin access with TACACS authentication

    Posted Jan 23, 2023 02:04 AM
    Thanks for your answer Jonas
    i read release notes of 6.11, that looks oke now. But since this is not yet a standard release, we won't upgrade now.
    It also turned out wrong attributes were sent back by tacacs server, this is now solved & does work. 
    We still have an issue with local accounts that keep working (with tacacs server available), we have to set up a kind of warning system when it will be used (aka SIEM case)

    Thanks

    ------------------------------
    Danny Bosman
    KBC Group - Belgium
    ------------------------------

    Original Message


  • 4.  RE: clearpass admin access with TACACS authentication

    Posted Feb 14, 2023 10:56 AM
    Edited by suriel Feb 15, 2023 09:10 AM

    Hello

     Thank you for the information, it's good to know.

    -------------------------------------------


    Original Message:
    Sent: Jan 18, 2023 07:07 AM
    From: jonas.hammarback
    Subject: clearpass admin access with TACACS authentication

    Hi

    One of the news in ClearPass 6.11 is the option to configure multiple TACACS+ server addresses instead of just one.
    The TACACS+ server must send the correct attributes back to ClearPass, compare with the standard enforcement profiles for administrative login i.e. [TACACS Super Admin].
    If you have custom admin privileges you have to return the matching names.
    Yes, local authentication is still working. In the use case where I have utilized this it has been good. As a service provider I send authentications back to uor ClearPass, but sometimes local technicians within the customer network must be able to authenticate as well to get a read only role in ClearPass.
    But I agree, it could be an option at least to not allow local authentication as long as the TACACS server is available

    I have only tested to utilize this to other ClearPass servers and not with 2FA/MFA scenarios.

    For Admin logon with smart card I have integrated with ADFS or utilized ClearPass as the IdP for SAML authentication.
    If you have smart card this may be the easiest way to get 2FA/MFA.

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution

    Original Message


Related Content