Security

In a recent presentation about CP 6.7 I’ve found a slide that says:

External TACACS server for ClearPass WebUI authentication support.

Unfortunately, I cannot find this option in 6.7, nor can i find anything about this in the 6.7 user guide. Does anybody know how to configure this?

I found it:

Page 548 in the user guide. 

configurable under:

Cluster wide paramaters > Tacacs

I'm missing the configuration part of this.

For a customer, i want to use their cisco tacacs+ server and use clearpass as a tacacs+ client for remote webui login.

What tacacs attrributes can i send from the server to clearpass? can i just send a Privilige Level, like: Super Administrator

Do i need to configure any service in clearpass, or does it really behave as a 100% tacacs client?

Has anyone successfully configured CPPM to use an external TACACS server yet?

Any idea what av_pairs CPPM is looking for?

TACACS+ does not use avpair.

The cpass:HTTP service is used with the AdminPrivilege attribute.

Hi Tim,

I am a newbee on clearpass but wat do you mean by 

"The cpass:HTTP service is used with the AdminPrivilege attribute"

is that a custom attribute on the Cisco ACS ?

or is it a service in the Clearpass manager?

regards

Peter

Hi Tim thanks for your response.

but  which attribute do i need?

Hi Peter,

You need to configure attribiute and value as,

Attribute = AdminPrivilege

Value = Super Administrator 

Other admin privileges in ClearPass.

Note: As mentioned by TIm, the service type should be cpass:HTTP, i.e. service=cpass and protocol=http when you create TACACS+ service/customer attributes in ACS.