Security

Reply
Frequent Contributor II

Authenticate external tacacs to ClearPass WebUI

In a recent presentation about CP 6.7 I’ve found a slide that says:

 

External TACACS server for ClearPass WebUI authentication support.

 

Unfortunately, I cannot find this option in 6.7, nor can i find anything about this in the 6.7 user guide. Does anybody know how to configure this?



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Frequent Contributor II

Re: Authenticate external tacacs to ClearPass WebUI

I found it:

Page 548 in the user guide. 

 

configurable under:

Cluster wide paramaters > Tacacs

 

 



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Frequent Contributor II

Re: Authenticate external tacacs to ClearPass WebUI

 

I'm missing the configuration part of this.

 

For a customer, i want to use their cisco tacacs+ server and use clearpass as a tacacs+ client for remote webui login.

 

What tacacs attrributes can i send from the server to clearpass? can i just send a Privilige Level, like: Super Administrator

 

Do i need to configure any service in clearpass, or does it really behave as a 100% tacacs client?



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Highlighted
Occasional Contributor I

Re: Authenticate external tacacs to ClearPass WebUI

Has anyone successfully configured CPPM to use an external TACACS server yet?

 

Any idea what av_pairs CPPM is looking for?

 

Guru Elite

Re: Authenticate external tacacs to ClearPass WebUI

TACACS+ does not use avpair.

 

The cpass:HTTP service is used with the AdminPrivilege attribute.

 


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Authenticate external tacacs to ClearPass WebUI

Hi Tim,

 

I am a newbee on clearpass but wat do you mean by 

"The cpass:HTTP service is used with the AdminPrivilege attribute"

 

is that a custom attribute on the Cisco ACS ?

or is it a service in the Clearpass manager?

 

regards

 

Peter

Guru Elite

Re: Authenticate external tacacs to ClearPass WebUI

Custom attribute in ACS.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Authenticate external tacacs to ClearPass WebUI

Hi Tim thanks for your response.

 

but  which attribute do i need?2018-08-28_16-28-02.png

Re: Authenticate external tacacs to ClearPass WebUI

Hi Peter,

 

You need to configure attribiute and value as,

Attribute = AdminPrivilege

Value = Super Administrator 

 

Other admin privileges in ClearPass.

admin_priv.jpg

 

Note: As mentioned by TIm, the service type should be cpass:HTTP, i.e. service=cpass and protocol=http when you create TACACS+ service/customer attributes in ACS.

 


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: