How to Configure management authentication for ClearPass against AD
Introduction : This Article explains about-
i) Authenticating CPPM management users from AD.
ii) Configuring the services on CPPM for authentication.
iii) Using TACACS service for authentication.
Feature Notes : An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network. CPPM can use AD for authentication and role based authorization to authenticate CPPM management users.
Environment : This Knowledge base is written for CPPM 6.x version.
Configuration Steps :
The following steps are to be followed.
1: Add Active directory and a Authentication source.
2: Configure the Tacacs service on CPPM to authenticate management users.
Please refer to the detailed steps below.
2a: Login to CPPM as an admin user and browse to Configuration » Services and click " Add new service ". It will open a new window as below.
Select the following details:
Type : TACACS + Enforcement
Name : This will be the name of the service.
Description : Add a note to it for user's understanding.
Make sure that Authorization option is checked. This is used for role based authentication.
Add a rule as shown above : it means that any connection with NAD-IP as local host (127.0.0.1) should hit this service
2b: In this screen add Active directory as Authentication source and hit "Next"
2c: Make sure that Active directory is added as an authentication source under this and hit "Next"
2 d: On this page click on " Add new Role Mapping Policy", this will open a new window as below.
On this page, we can select Default Role a Read Only Role. Click "Next"
On this window, we will add Roles for authorization.
The rule above means : if user is a member of Domain Admin then he will authenticate with a Super Admin Role.
Similarly we can add new rules based on our requirements as below making sure that below option is set.
Rules Evaluation Algorithm:
Once all the rules are configured, click on save and the screen comes back to the configuration of service. Select the role which we created now.
2e: Now if required, we can add the Enforcement profile.
Select the default profile " [Admin Network Login Policy]" from the drop down.
Save the configuration.
Once done, please logout and login with a remote user ( user which exists on AD) and verify.
Verification : Login to CPPM as an AD user.
I used a user "super-user" which is member of "Domain-Admins" group. As per our configuration, we should get "TACACS Super Admin" role.
After logging in, please navigate to
Monitoring » Live Monitoring » Access Tracker and click the most recent event with user name as " your_user".
In this test condition username = super-user
Click on Policies to check the Role.