AAA, NAC, Guest Access & BYOD

 View Only
last person joined: one year ago 

Solutions for legacy and existing products and solutions, including Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, and Introspect
Back to Library

How to customize ClearPass SSH login 

May 06, 2020 05:04 AM

Requirement:

 

Customize ClearPass SSH login to allow AD users to login to ClearPass CLI using AD accounts.

 



Solution:

 

  • ClearPass versions prior to 6.8.0 only allows CLI login with "appadmin" as username
  • Starting from 6.8.0, CLI login can be customized to allow other users like AD users to use their AD credentials to login in ClearPass SSH access
  • CLI login with usernames other than appadmin username generates TACACS request and will be visible in access tracker
  • We can create customized TACACS login service in ClearPass to handle this requests.

 



Configuration:

 

  • Please use following service rules to differentiate TACACS SSH login request from other TACACS requests:

 

           

  • You could map AD or any source as user authentication source in Authentication section
  • Authorization and roles can be defined for users based on requirement
  • Important part of this configuration is to create a TACACS+ enforcement profile. Profile should be configured as below:

 

          

 

Note: Privilege for all CLI/SSH user logins will be same (i.e. Super Administrator) and cannot be modified/customized as of now.

 



Verification
  • Snippets of access tracker request:

           

           

           

             

             

Statistics
0 Favorited
6 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.