Regular Contributor II

Airwave TACACS athentication with clearpass

Hi community,


we would like to do the Airwave login via TACACs with Clearpass, we use Airwave version and Clearpass version

Airwave reports with the TACACs login at the Clearpass which also sends an Accept, but the login at the Airwave still fails.
in the Access Tracker this is shown here:


the service shows like this:



I hope anyone can help me with this servcie policie.



MVP Expert

Re: Airwave TACACS athentication with clearpass

Service configuration looks fine. A simple question, is the request hitting the correct service? 


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Aruba Employee

Re: Airwave TACACS athentication with clearpass

The key piece of information in your screenshots is right at the top: "No enforcement profiles matched to perform command authorization."  The bit about https not enabled led you down the wrong trail.  It's not that you set up your enforcemnt profile incorrectly  - you had an AMP:https service set up for enforcement it, after all.


The problem is that none of your conditions in your enforcement policy matched, so no actions were triggered.


The big lesson here is that Access Tracker is your friend. 


Take a look at your TACACS authentication request in Access Tracker, select the Polices tab and look at the Role list.  Dollars to donuts, none of them match the trigger conditions in your enforcement profile.


I'll speculate why that might be.  You have your role mapping blurred out, but it looks like you're doing a check of group membership on a specific AD server.  That'll work if you only have one AD server, but if the authorization came from a different server, the role mapping rule won't match so you won't get the role assigned (which keeps your enforcement profile from triggering.)  You might think the answer is to write role mapping rules for every possible AD server, but don't.  That's a terrible idea - way too hard to maintain, way too easy to make mistakes.


It'd be better to edit your Configuraiton/Authentication/Sources  AD Attributes and make Authentication "memberof" automatically map into roles (as in TIPs roles).  Those roles will have long names; something like "CN=DomainName;CN=Users;DC=xyzcorp;DC=com", but they're quite usable and they (probably) aren't tied to a specific AD server.  With the right role mapping, your policy conditions will trigger and you'll be logging into Airwave like a champ.


It bears repeating: Access Tracker is your best troubleshooting friend.  Using it to see what roles are getting assigned should be at the top of everyone's list when troubleshooting something like this.

Frequent Contributor I

Re: Airwave TACACS athentication with clearpass

i have same issue last month,


the trick is, you create new role like "AMP-Admin" in your airwave,


and then, in your "enforcement profile - AMP-Admin" , change value "Admin" to "AMP-Admin"

Search Airheads
Showing results for 
Search instead for 
Did you mean: