Security

Reply
Occasional Contributor II

ClearPass Admin Login using External TACACS+ Server issue

I am having an issue gettting admin accounts to work using an external TACACS+ server.  I have followed the guide here and entered the TACACS server IP and shared secret on the cluster-wide parameters, but whenever we try to login to GUI/CLI with TACACS credentials it is getting denied.  Access Tracker shows the login requests hitting the default [Policy Manager Admin Network Login Service] where it checks the Local User and Admin User repositories and then sends a REJECT.  On the TACACS server side we dont see any authentication requests coming in from ClearPass.  Is there something else I need to do in order to get this working?  Is the only config required for this to put in the TACACS server IP and shared secret?

MVP Guru

Re: ClearPass Admin Login using External TACACS+ Server issue

Follow this techsupport document

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33287

 

 

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor II

Re: ClearPass Admin Login using External TACACS+ Server issue

This guide is for configuring ClearPass to be a TACACS server, I want to use an external (not clearpass) TACACS server to authenticate admin logins on ClearPass. The guide linked in my original post should be the relevant one, and I followed it, but it doesn’t seem to be working.

Re: ClearPass Admin Login using External TACACS+ Server issue

Hi,

 

What is the ClearPass Version?

External TACACS server can only be used for GUI and not for CLI/SSH till ClearPass 6.7.x. 

The ClearPass server follows the order,

  • Local Admin Repository
  • and then try the external/remote TACACS Server
  • and then generates a TACACS request locally.

 

If you see the login request hitting the default service "[Policy Manager Admin Network Login Service] " in the local server, then the ClearPass is not able to reach the external server or the external server rejected/dropped the request. 

You can run packet capture from the ClearPass server to confirm whether the TACACS auth request to the external server is being sent or not.

 

Navigation to Run Packet capture - Administration >> Server Manager >> Server Configuration >> Collect Logs >> Check the box "Capture network packets Duration of dump" (ensure all ther other boxes are not checked). 


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: ClearPass Admin Login using External TACACS+ Server issue

Ok this is info I was looking for I guess, external CLI/SSH authentication against an external TACACS+ server is not supported.  I also confirmed this with a packet capture as you suggested (ClearPass is version 6.8.1): when logging into the ClearPass GUI it will communicate with the external TACACS+ server, however when logging into ClearPass via SSH it does not send anything to the TACACS+ server.

Re: ClearPass Admin Login using External TACACS+ Server issue

Yes, the behavior is the same in 6.8.x :)


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: