How to authenticate Riverbed admin users against ClearPass over TACACS
This article explains how to authenticate and assign admin privileges to Riverbed mgmt/admin users.
River Bed Configuration:
Step:1 Login to Riverbed and navigate to Configure > Security > TACACS+ and add ClearPass as TACACS Server.
Step:2 Go to Configure > Security > General Security Settings and set the Authentication Methods to "TACACS+; Local" and set the Authorization Policy to "Remote Only".
Please find below the TACACS Dictionary to configure the Enforcement profile.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsHeader exportTime="Mon Jul 21 13:45:36 CDT 2014" version="6.3"/>
<TacacsServiceDictionary dispName="Riverbed" name="rbt-exec:unknown">
<ServiceAttribute dataType="String" dispName="local-user-name" name="local-user-name"/>
STEP:1 Copy and paste the above content on a notepad and Save it as .xml file. Login to ClearPass Policy Manager and go to Administration > Dictionaries > TACACS Services and Import the file.
STEP:2 Add the Riverbed hostname/Ip address as Network Device in ClearPass under Configuration > Network > Devices.(Use same Shared Secret Key on both Riverbed and CPPM)
STEP:3 Create a TACACS+ based Enforcement profile as shown below to return the admin Privilege to Riverbed.
Note: admin and monitor are the 2 default privileges in Reverbed.
Step: 4 Create a TACACS Service and map the above Profile in the Enforcement Policy to authenticate and authorize the users.
In the xml file you would notice the TacacsServiceDictionary name as "rbt-exec:unknown". This is what we get as Service/Protocol in TACACS Authorization Query from Riverbed during authentication.
Find the below pcap output for your reference.
And the below output confirms the Auth Success and Privilege/Role being returned to Riverbed.