How to authenticate Riverbed admin users against ClearPass over TACACS

Aruba Employee
Aruba Employee

This article explains how to authenticate and assign admin privileges to Riverbed mgmt/admin users.


River Bed Configuration:

Step:1 Login to Riverbed and navigate to Configure > Security > TACACS+ and add ClearPass as TACACS Server.





Step:2 Go to Configure > Security > General Security Settings and set the Authentication Methods to "TACACS+; Local" and set the Authorization Policy to "Remote Only".


rtaImage (1).png

ClearPass Configuration:

Please find below the TACACS Dictionary to configure the Enforcement profile.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="">
  <TipsHeader exportTime="Mon Jul 21 13:45:36 CDT 2014" version="6.3"/>
    <TacacsServiceDictionary dispName="Riverbed" name="rbt-exec:unknown">
      <ServiceAttribute dataType="String" dispName="local-user-name" name="local-user-name"/>

STEP:1 Copy and paste the above content on a notepad and Save it as .xml file. Login to ClearPass Policy Manager and go to Administration > Dictionaries > TACACS  Services and Import the file.

STEP:2 Add the Riverbed hostname/Ip address as Network Device in ClearPass under Configuration > Network > Devices.(Use same Shared Secret Key on both Riverbed and CPPM)

STEP:3 Create a TACACS+ based Enforcement profile as shown below to return the admin Privilege to Riverbed.

Note: admin and monitor are the 2 default privileges in Reverbed.

rtaImage (2).png

Step: 4 Create a TACACS Service and map the above Profile in the Enforcement Policy to authenticate and authorize the users.

rtaImage (3).png

In the xml file you would notice the TacacsServiceDictionary name as "rbt-exec:unknown". This is what we get as Service/Protocol in TACACS Authorization Query from Riverbed during authentication.

Find the below pcap output for your reference.

rtaImage (4).png

And the below output confirms the Auth Success and Privilege/Role being returned to Riverbed.

rtaImage (5).png



Version history
Revision #:
1 of 1
Last update:
‎08-07-2014 07:07 AM
Updated by:
Labels (1)
This is a great guide, but I'm wondering if the steps change at all if you use the role of "monitor" instead of "admin"? For example, if you wanted to provide read-only access to an end-user, you would not want to use the "admin" role. You'd want to use "monitor" instead. I have not been able to get this to work (I receive an error message within CPPM, stating, "Tacacs service=rbt-exec:unknown not enabled." Have you tried this at all, and if so, what success have you had?

More information given as I'm testing clearpass integration with two Riverbed products : portal and ARX devices. Don't follow this completely.

As for now with Clearpass 6.9.1, it seems Riverbed products use a strange tacacs call Clearpass will interpret as a request to "system" Dictionary name.

Use this dictionary for your ARX and portal accesses

<TacacsServiceDictionary dispName="Riverbed" name="system">
<ServiceAttribute allowedValuesCsv="System Administrator,Dashboards User" dataType="String" dispName="riverbed-roles-list" name="riverbed-roles-list"/>

Search Airheads
Showing results for 
Search instead for 
Did you mean: