Security

Reply
Contributor II

Authenticate external tacacs to ClearPass WebUI

In a recent presentation about CP 6.7 I’ve found a slide that says:

 

External TACACS server for ClearPass WebUI authentication support.

 

Unfortunately, I cannot find this option in 6.7, nor can i find anything about this in the 6.7 user guide. Does anybody know how to configure this?

----------------------------------------------------------------------------------------
Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE
Contributor II

Re: Authenticate external tacacs to ClearPass WebUI

I found it:

Page 548 in the user guide. 

 

configurable under:

Cluster wide paramaters > Tacacs

 

 

----------------------------------------------------------------------------------------
Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE
Contributor II

Re: Authenticate external tacacs to ClearPass WebUI

 

I'm missing the configuration part of this.

 

For a customer, i want to use their cisco tacacs+ server and use clearpass as a tacacs+ client for remote webui login.

 

What tacacs attrributes can i send from the server to clearpass? can i just send a Privilige Level, like: Super Administrator

 

Do i need to configure any service in clearpass, or does it really behave as a 100% tacacs client?

----------------------------------------------------------------------------------------
Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE
New Contributor

Re: Authenticate external tacacs to ClearPass WebUI

Has anyone successfully configured CPPM to use an external TACACS server yet?

 

Any idea what av_pairs CPPM is looking for?

 

Guru Elite

Re: Authenticate external tacacs to ClearPass WebUI

TACACS+ does not use avpair.

 

The cpass:HTTP service is used with the AdminPrivilege attribute.

 


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Authenticate external tacacs to ClearPass WebUI

Hi Tim,

 

I am a newbee on clearpass but wat do you mean by 

"The cpass:HTTP service is used with the AdminPrivilege attribute"

 

is that a custom attribute on the Cisco ACS ?

or is it a service in the Clearpass manager?

 

regards

 

Peter

Guru Elite

Re: Authenticate external tacacs to ClearPass WebUI

Custom attribute in ACS.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Authenticate external tacacs to ClearPass WebUI

Hi Tim thanks for your response.

 

but  which attribute do i need?2018-08-28_16-28-02.png

Aruba Employee

Re: Authenticate external tacacs to ClearPass WebUI

Hi Peter,

 

You need to configure attribiute and value as,

Attribute = AdminPrivilege

Value = Super Administrator 

 

Other admin privileges in ClearPass.

admin_priv.jpg

 

Note: As mentioned by TIm, the service type should be cpass:HTTP, i.e. service=cpass and protocol=http when you create TACACS+ service/customer attributes in ACS.

 


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: