Security

 View Only
  • 1.  TACACS+ Post authentication enforcement

    Posted Sep 12, 2024 11:21 AM

    HI All,

    I am looking for a way to get a HTTP based enforcement onto a TACACS+ service. I can't see why we would not be able to do this, however it is causing me a few issues at the moment. 

    Essentially I am looking to trigger an API call on every TACACS+ authentication. This is possible with RADIUS and due to it not effecting the security I would expect this to be possible with TACACS.

    Any thoughts would be great.


    Thanks,
    Ben



  • 2.  RE: TACACS+ Post authentication enforcement

    Posted Sep 13, 2024 04:53 AM

    Hi Ben

    Not the answer you are hoping for, but you are not alone in this request.

    There is an active feature request in the Innovation Zone for the feature: https://innovate.arubanetworks.com/ideas/SEC-I-1957

    Log in and vote on the feature request.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: TACACS+ Post authentication enforcement

    Posted Sep 23, 2024 06:15 AM

    Haven't fully tried, but if you have enough information in the authentication request (not the response/roles), you may try to include an HTTP Authorization source under authorization. The config of adding HTTP authorization source to a TACACS+ service seems to be accepted.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------