Security

 View Only
last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass TACACs - Cisco Config

This thread has been viewed 11 times
  • 1.  ClearPass TACACs - Cisco Config

    Posted Jul 26, 2024 10:03 AM

    I can't for the life of me enforce a user to be given priv level 1.

    Switch config:

    CPTESTSW05#show running-config | sec aaa

    aaa new-model
    aaa group server tacacs+ CPPM-TACACS
    server name CPPM01-TACACS
    aaa group server radius CPPM-RADIUS
    server name CPPM01-RADIUS

    aaa authentication login userAuthentication group CPPM-TACACS local
    aaa authentication dot1x default group CPPM-RADIUS
    aaa authorization config-commands
    aaa authorization exec default group CPPM-TACACS if-authenticated
    aaa authorization commands 0 default group CPPM-TACACS none
    aaa authorization commands 1 default group CPPM-TACACS if-authenticated
    aaa authorization commands 15 default group CPPM-TACACS if-authenticated
    aaa authorization network userAuthorization group CPPM-RADIUS local
    aaa accounting exec default start-stop group CPPM-RADIUS
    aaa accounting commands 15 default start-stop group CPPM-TACACS
    aaa accounting connection default start-stop group CPPM-TACACS
    aaa accounting system default start-stop group CPPM-RADIUS

    aaa server radius dynamic-author
    client 10.10.20.30 server-key password
    port 3799
    auth-type all
    aaa session-id common
    match result-type aaa-timeout

    CPTESTSW05#show running-config | sec tacacs

    aaa group server tacacs+ CPPM-TACACS
    server name CPPM01-TACACS
    ip tacacs source-interface GigabitEthernet1/0/1
    tacacs server CPPM01-TACACS
    address ipv4 10.10.20.30
    key password

    CPTESTSW05#show running-config | beg line

    line con 0
    exec-timeout 0 0
    logging synchronous
    login authentication userAuthentication
    stopbits 1

    line vty 0 4
    exec-timeout 0 0
    logging synchronous
    login authentication userAuthentication
    transport input ssh
    line vty 5 16
    exec-timeout 0 0
    logging synchronous
    login authentication userAuthentication
    transport input ssh


    ---

    For Clearpass I am trying to set the priv level 1 with an enforcement profile. For example:


    With this current config, I am not able to change the priv level from 15 to anything, and I am not able to restrict any commands. I must be missing something.



  • 2.  RE: ClearPass TACACs - Cisco Config

    Posted Jul 27, 2024 12:33 AM

    What are you showing in access tracker?  Is the request hitting the correct service?  In the service is it hitting the correct enforcement policy?