Security

 View Only
last person joined: 20 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Policy Manager 6.10 Custom TACACS Dictionaries file

This thread has been viewed 10 times
  • 1.  Clearpass Policy Manager 6.10 Custom TACACS Dictionaries file

    Posted Aug 11, 2022 10:13 PM
    Hi,

    Appologies if this is a dumb question, clearpass is not my strongest of platforms I work on.

    We use Clearpass as a TACACS server for all of our switches and Aruba controllers, we have profiles configured for Aruba MM and MD which works fine and profile for Extreme Networks Devices which also works fine.

    I have a new Manufacturer of industriakl ethernet switches which can use TACACS and works fine using a free tacacs server (as a test) however I am unable to get the Clearpass server to authenticate the requests from these devices. Instead of a entry in the Access Tracker for eahc attempt i see an entry in the Event Viewer....

    Source TacacsServer
    Level WARN
    Category Request
    Action Failed
    Timestamp Aug 11, 2022 10:44:30 BST
    Description
    Authorization request for unauthenticated user=****; NAD=192.168.***.***


    Is this due to the lack of TACACS dictionary file for the vendor? if so is it possible to create a custom dictionary XML and deduce the value of the service attribute?

    <ServiceAttribute dataType="String" dispName="*****" name="*****"/>

    Sorry if this is a dumb question, just not having much luck with the resources ive tried so far.

    Many Thanks



  • 2.  RE: Clearpass Policy Manager 6.10 Custom TACACS Dictionaries file

    Posted Aug 12, 2022 02:00 AM
    Hello,

    Normally you get this message when the Tacacs authorization message is received by another Clearpass server than the one that has proceeded  the authentication.

    This can also happens with long lasting SSH sessions after a reboot of the CPPM servers.

    If the device is sending the Tacacs request to any of the server instead of using always the same use a VIP IP for Tacacs

    Kind regards

    Christian


  • 3.  RE: Clearpass Policy Manager 6.10 Custom TACACS Dictionaries file

    Posted Aug 12, 2022 03:44 AM
    Hi Christian,

    Sorry i should have mentioned that this is a standalone Clearpass server that is only configured for TACACS Auth.

    Its not being sent anywhere before hand, the server and Switch sit on either side of a checkpoint firewall and my first check was making sure i saw TCP49 destined only to the correct server IP and i see the response packets also using TCP Dump.

    tcpdump -nni bond1.1023 port 49
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bond1.1023, link-type EN10MB (Ethernet), capture size 262144 bytes
    08:41:16.681980 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [S], seq 3047991437, win 16384, options [mss 1460], length 0
    08:41:16.682655 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [S.], seq 906735252, ack 3047991438, win 29200, options [mss 1460], length 0
    08:41:16.684004 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [.], ack 1, win 17520, length 0
    08:41:16.689697 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [P.], seq 1:66, ack 1, win 17520, length 65
    08:41:16.689853 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [.], ack 66, win 29200, length 0
    08:41:16.690371 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [P.], seq 1:38, ack 66, win 29200, length 37
    08:41:16.690376 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [F.], seq 38, ack 66, win 29200, length 0
    08:41:16.691946 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [.], ack 39, win 17483, length 0
    08:41:16.693085 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [F.], seq 66, ack 39, win 17483, length 0
    08:41:16.693192 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [.], ack 67, win 29200, length 0
    08:41:16.699349 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [S], seq 1679976846, win 16384, options [mss 1460], length 0
    08:41:16.700101 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [S.], seq 3469137404, ack 1679976847, win 29200, options [mss 1460], length 0
    08:41:16.701473 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [.], ack 1, win 17520, length 0
    08:41:16.713638 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [P.], seq 1:64, ack 1, win 17520, length 63
    08:41:16.713762 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [.], ack 64, win 29200, length 0
    08:41:16.714296 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [P.], seq 1:75, ack 64, win 29200, length 74
    08:41:16.714363 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [F.], seq 75, ack 64, win 29200, length 0
    08:41:16.716359 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [.], ack 76, win 17446, length 0
    08:41:16.722082 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [F.], seq 64, ack 76, win 17446, length 0
    08:41:16.722212 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [.], ack 65, win 29200, length 0


  • 4.  RE: Clearpass Policy Manager 6.10 Custom TACACS Dictionaries file

    Posted Aug 12, 2022 10:10 AM
    Update:

    I have been messing around with settings on both clearpass and the switch device all day and found that switching the Device TACACS Method to PAP instead of CHAP allowed them to authenticate fine against clearpass.