Security

Hi,

There is a requirements for a specific tacacs+ local account on CPPM to have their password never expire or got disabled by TIPS for not changing it. Those accounts will be used for SNMP monitoring over network devices (routers, switches, WLCs). Is there anyway to create such account on CPPM?
If I change password expiry rules it will be changed for all accounts!.

Your expectation is to use TACACS+ authentication for a username used in SNMP monitoring?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message:
Sent: Aug 27, 2024 10:45 AM
From: mhabiballa
Subject: Tacacs+ account as a Service account on CPPM

Hi,

There is a requirements for a specific tacacs+ local account on CPPM to have their password never expire or got disabled by TIPS for not changing it. Those accounts will be used for SNMP monitoring over network devices (routers, switches, WLCs). Is there anyway to create such account on CPPM?
If I change password expiry rules it will be changed for all accounts!.

Hi

With TACACS+ local account, do you referr to local account in ClearPass?

Do you only use ClearPass as user directory or do you have any other user directory such as Active Directory? If you have Active Directory you can create the needed account in AD and mark the account to not need to change password

You can create the needed accounts in any of the user account databases, Admin Users, Local Users and Guest Users.

Another option may be to utilize a custom created guest user, assign the user to a dedicated role and allow this user with this role to authenticate in the TACACS service.

I have never tried exact your use case, but should be possible to do.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Aug 27, 2024 10:45 AM
From: mhabiballa
Subject: Tacacs+ account as a Service account on CPPM

Hi,

There is a requirements for a specific tacacs+ local account on CPPM to have their password never expire or got disabled by TIPS for not changing it. Those accounts will be used for SNMP monitoring over network devices (routers, switches, WLCs). Is there anyway to create such account on CPPM?
If I change password expiry rules it will be changed for all accounts!.

I've not seen switches that can lookup SNMP users in an external source, like TACACS/RADIUS. Just SSH/Web login, I have seen.

Local ClearPass admins / users in the ClearPass local user database don't have expiry or mandatory password changes as far as I know.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 27, 2024 10:45 AM
From: mhabiballa
Subject: Tacacs+ account as a Service account on CPPM

Hi,

There is a requirements for a specific tacacs+ local account on CPPM to have their password never expire or got disabled by TIPS for not changing it. Those accounts will be used for SNMP monitoring over network devices (routers, switches, WLCs). Is there anyway to create such account on CPPM?
If I change password expiry rules it will be changed for all accounts!.