Security

 View Only
last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Tacacs+ account as a Service account on CPPM

This thread has been viewed 18 times
  • 1.  Tacacs+ account as a Service account on CPPM

    Posted Aug 27, 2024 10:46 AM

    Hi,

    There is a requirements for a specific tacacs+ local account on CPPM to have their password never expire or got disabled by TIPS for not changing it. Those accounts will be used for SNMP monitoring over network devices (routers, switches, WLCs). Is there anyway to create such account on CPPM?
    If I change password expiry rules it will be changed for all accounts!.



  • 2.  RE: Tacacs+ account as a Service account on CPPM

    EMPLOYEE
    Posted Aug 27, 2024 10:53 AM

    Your expectation is to use TACACS+ authentication for a username used in SNMP monitoring?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Tacacs+ account as a Service account on CPPM

    Posted Aug 28, 2024 08:14 AM

    My expectation is, I need to know if CCPM is capable of creating a TACACS+ local user account that looks like a "service account" with no password expiry or account disable.  This account will be used by a tool -SNMP or whatever- to ssh into the switch and pull some info used somehow to monitor the device.




  • 4.  RE: Tacacs+ account as a Service account on CPPM

    EMPLOYEE
    Posted Aug 28, 2024 12:05 PM

    Yes, that can be done as password expiration isn't a requirement.  Your inclusion of SNMP was the confusing portion of the question because, as others noted, SNMP shouldn't be utilizing AAA.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: Tacacs+ account as a Service account on CPPM
    Best Answer

    Posted Aug 27, 2024 11:01 AM

    Hi

    With TACACS+ local account, do you referr to local account in ClearPass?

    Do you only use ClearPass as user directory or do you have any other user directory such as Active Directory? If you have Active Directory you can create the needed account in AD and mark the account to not need to change password

    You can create the needed accounts in any of the user account databases, Admin Users, Local Users and Guest Users.

    Another option may be to utilize a custom created guest user, assign the user to a dedicated role and allow this user with this role to authenticate in the TACACS service.

    I have never tried exact your use case, but should be possible to do.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: Tacacs+ account as a Service account on CPPM

    Posted Aug 28, 2024 08:21 AM

    Thank you very much. Yes, Authenticating to external source is what I've found as well.
    I must integrate with AD to solve this dilemma.

    Thank you very much. 




  • 7.  RE: Tacacs+ account as a Service account on CPPM

    Posted Aug 27, 2024 11:57 AM

    I've not seen switches that can lookup SNMP users in an external source, like TACACS/RADIUS. Just SSH/Web login, I have seen.

    Local ClearPass admins / users in the ClearPass local user database don't have expiry or mandatory password changes as far as I know.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------