Security

last person joined: 11 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Brocade AVP pair not being returned by CPPM

This thread has been viewed 6 times

  • 1.  Brocade AVP pair not being returned by CPPM

    Posted Mar 04, 2017 11:30 AM

    Hi,

     

    Does anybody have any experience with Brocade NOS switches authenticating and authorising using Clearpass. We are attempting to do this but are struggling with the authorisation. We are using TACACS for this. We see the Brocade switch send both service=shell and brcd-role* but despite being configured to return priv-lvl 15 and the brcd-role 'admin', the latter does not get returned only the 'priv-lvl 15', however as the 'admin' role is not returned the default 'user' role is assumed and the user cannot edit the switch configuration.

     

    Just wondering if anybody else has experienced this and if they managed to get this working?

     

    Thanks



  • 2.  RE: Brocade AVP pair not being returned by CPPM

    Posted Mar 05, 2017 03:15 PM

    I found out that the asterisk (*) sent with the brcd-role indicates that this is an 'optional' parameter that Clearpass doesn't need to respond to. However, we have defined 'brcd-role' as a valid attribute with a configured string 'admin', however Clearpass is not sending this back to the switch. It is only sending back the priv-lvl 15?



  • 3.  RE: Brocade AVP pair not being returned by CPPM

    Posted Jun 06, 2018 12:24 PM

    To anyone else that's banging their head against the wall with this issue I think I finally found a way to make it work in ClearPass. You have to update the TACACS+ Services Dictionary. For the existing "Shell" service, you need to add a service attribute "brcd-role" and name it "brcd-role". The dataType needs to be a string. Import the updated TACACS+ dictionary and when you go to configure your enforcement policy and use the "Shell" service attribute type, you will see the "brcd-role" name is now available. Select the new name and then you can supply either of the builtin roles (admin or user). You could also use a custom role in theory if you have one configured on the device.

     



  • 4.  RE: Brocade AVP pair not being returned by CPPM

    Posted Jan 27, 2020 04:02 PM

    Hi MarbleRye,

     

    Please how do you import the updated TACACS+ Services Dictionary?

    Where do you import it from? I am currently having this issue. Brocade VDX6740 NOS switches to be exact. I cannot even authenticate yet, and I do not see any logs for it on the Access Tracker. Instead, I see the logs under Event Viewer, which is very strange. 

     

    At least I should be able to authenticate even with an "ACCEPT" or "REJECT" but for some reasons, I do not see logs in Access Tracker but Event Viewer. 



  • 5.  RE: Brocade AVP pair not being returned by CPPM

    Posted Jul 22, 2020 11:18 AM

    This saved me so much hassle. Thank you, thank you!



  • 6.  RE: Brocade AVP pair not being returned by CPPM

    Posted Sep 02, 2020 06:14 AM

    You have to update the TACACS+ Services Dictionary. For the existing "Shell" service, you need to add a service attribute "brcd-role" and name it "brcd-role". The dataType needs to be a string. Import the updated TACACS+ dictionary and when you go to configure your enforcement policy and use the "Shell" service attribute type, you will see the "brcd-role" name is now available.