So I don't have one specifically for Arista, but from the issue, is sounds like you're likely hitting the default policy. Make sure your AD group or what ever Auth source in the enforcement is triggering on your request / username. Check the Input and make sure you're seeing the correct information that you plan to match on in the enforcement policy.
It may be helpful to see the paloalto example that gossewaarde and victorchow put together to use the AD group "Domain Admins" to match a role and apply that to the enforcement policy.
https://ase.arubanetworks.com/solutions/id/174
Your enforcement policy will be based on the Arista response required for TACACS+ which can be found here:
https://www.arista.com/en/um-eos/eos-user-security#xx1348138
Rather than the "Palo Alto Admin Auth" shown in the paloalto example on ASE.
There's also and example of an ArubaOS Switch TACACS config here:
https://ase.arubanetworks.com/solutions/id/126
Original Message:
Sent: May 25, 2023 05:49 PM
From: mwfolso
Subject: Setting up ClearPass for Arista TACACS
mholden - thanks for the quick response!
Now that issue is behind me - I am still having issues getting TACACS to work. Is there a guide out there to step me through how to setup CP so it can authenticate logins on Arista and/or Brocade switches? I can do basic Radius authentications and authorizations via LDAP but that does not seem to translate over to TACACS.
If I use a local password for testing it authenticates and lets me into the switch but then I see:
Tacacs server | Not enough input to perform authentication |
and the Login status ion Access Tracker gets marked as "REJECT".
Thanks again for any advice offered.
Original Message:
Sent: May 25, 2023 04:39 PM
From: mholden
Subject: Setting up ClearPass for Arista TACACS
You are good, network-admin and network-operator are now included in the default TACACS+ dictionary for cvp-roles.
No need to update to add those roles.
Original Message:
Sent: May 25, 2023 04:04 PM
From: mwfolso
Subject: Setting up ClearPass for Arista TACACS
Hi:
I am trying to configure CP 6.11 to do TACACS authentication with Arista switches. I found the following article:
Airheads Community
Airheads Community | remove preview |
| Airheads Community | Hi Community, i want to share with you the feedback how to get CVP (Cloudvision Portal) running with CPPM (6.7) over Tacacs+ Service. Normally you get the netwo | View this on Airheads Community > |
|
|
and it mentions a config change to the TacacsServiceDictionary.xml file. That post was from 2019 and no doubt the structure of the file has changed since then. The post calls for the addition of the following line to the file:
<ServiceAttribute allowedValuesCsv="network-admin" dataType="String" dispName="cvp-roles" name="cvp-roles"/>
however the following line is already in the file:
<ServiceAttribute allowedValuesCsv="network-admin,network-operator" dataType="String" dispName="cvp-roles" name="cvp-roles"/>
So, do I need to change it to mimic the one from the post or is it adequate as listed?
Thanks -
Mike