Hi:I am trying to configure CP 6.11 to do TACACS authentication with Arista switches. I found the following article:Airheads Community
and it mentions a config change to the TacacsServiceDictionary.xml file. That post was from 2019 and no doubt the structure of the file has changed since then. The post calls for the addition of the following line to the file: <ServiceAttribute allowedValuesCsv="network-admin" dataType="String" dispName="cvp-roles" name="cvp-roles"/>however the following line is already in the file: <ServiceAttribute allowedValuesCsv="network-admin,network-operator" dataType="String" dispName="cvp-roles" name="cvp-roles"/>So, do I need to change it to mimic the one from the post or is it adequate as listed?Thanks -Mike
You are good, network-admin and network-operator are now included in the default TACACS+ dictionary for cvp-roles. No need to update to add those roles.
mholden - thanks for the quick response!Now that issue is behind me - I am still having issues getting TACACS to work. Is there a guide out there to step me through how to setup CP so it can authenticate logins on Arista and/or Brocade switches? I can do basic Radius authentications and authorizations via LDAP but that does not seem to translate over to TACACS.If I use a local password for testing it authenticates and lets me into the switch but then I see:
and the Login status ion Access Tracker gets marked as "REJECT".Thanks again for any advice offered.
Original Message:Sent: May 25, 2023 04:04 PMFrom: mwfolsoSubject: Setting up ClearPass for Arista TACACS
So I don't have one specifically for Arista, but from the issue, is sounds like you're likely hitting the default policy. Make sure your AD group or what ever Auth source in the enforcement is triggering on your request / username. Check the Input and make sure you're seeing the correct information that you plan to match on in the enforcement policy. It may be helpful to see the paloalto example that gossewaarde and victorchow put together to use the AD group "Domain Admins" to match a role and apply that to the enforcement policy.https://ase.arubanetworks.com/solutions/id/174Your enforcement policy will be based on the Arista response required for TACACS+ which can be found here:https://www.arista.com/en/um-eos/eos-user-security#xx1348138 Rather than the "Palo Alto Admin Auth" shown in the paloalto example on ASE.There's also and example of an ArubaOS Switch TACACS config here:https://ase.arubanetworks.com/solutions/id/126
Original Message:Sent: May 25, 2023 04:39 PMFrom: mholdenSubject: Setting up ClearPass for Arista TACACS
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.