Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Setting up ClearPass for Arista TACACS

This thread has been viewed 14 times
  • 1.  Setting up ClearPass for Arista TACACS

    Posted May 25, 2023 04:05 PM

    Hi:

    I am trying to configure CP 6.11 to do TACACS authentication with Arista switches.  I found the following article:
    Airheads Community

    Airheads Community remove preview
    Airheads Community
    Hi Community, i want to share with you the feedback how to get CVP (Cloudvision Portal) running with CPPM (6.7) over Tacacs+ Service. Normally you get the netwo
    View this on Airheads Community >


    and it mentions a config change to the TacacsServiceDictionary.xml file.  That post was from 2019 and no doubt the structure of the file has changed since then.  The post calls for the addition of the following line to the file:
         <ServiceAttribute allowedValuesCsv="network-admin" dataType="String" dispName="cvp-roles" name="cvp-roles"/>
    however the following line is already in the file:
         <ServiceAttribute allowedValuesCsv="network-admin,network-operator" dataType="String" dispName="cvp-roles" name="cvp-roles"/>

    So, do I need to change it to mimic the one from the post or is it adequate as listed?

    Thanks -

    Mike



  • 2.  RE: Setting up ClearPass for Arista TACACS

    Posted May 25, 2023 04:40 PM

    You are good, network-admin and network-operator are now included in the default TACACS+ dictionary for cvp-roles. 
    No need to update to add those roles. 




  • 3.  RE: Setting up ClearPass for Arista TACACS

    Posted May 25, 2023 05:49 PM

    mholden - thanks for the quick response!

    Now that issue is behind me - I am still having issues getting TACACS to work.  Is there a guide out there to step me through how to setup CP so it can authenticate logins on Arista and/or Brocade switches?  I can do basic Radius authentications and authorizations via LDAP but that does not seem to translate over to TACACS.

    If I use a local password for testing it authenticates and lets me into the switch but then I see:

    Tacacs server Not enough input to perform authentication

       
    and the Login status ion Access Tracker gets marked as "REJECT".

    Thanks again for any advice offered.




  • 4.  RE: Setting up ClearPass for Arista TACACS

    Posted May 25, 2023 06:22 PM

    So I don't have one specifically for Arista, but from the issue, is sounds like you're likely hitting the default policy. Make sure your AD group or what ever Auth source in the enforcement is triggering on your request / username. Check the Input and make sure you're seeing the correct information that you plan to match on in the enforcement policy. 

    It may be helpful to see the paloalto example that gossewaarde and victorchow put together to use the AD group "Domain Admins" to match a role and apply that to the enforcement policy.
    https://ase.arubanetworks.com/solutions/id/174

    Your enforcement policy will be based on the Arista response required for TACACS+ which can be found here:
    https://www.arista.com/en/um-eos/eos-user-security#xx1348138 
    Rather than the "Palo Alto Admin Auth" shown in the paloalto example on ASE.

    There's also and example of an ArubaOS Switch TACACS config here:
    https://ase.arubanetworks.com/solutions/id/126