Security

last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Admin Login using External TACACS+ Server issue

This thread has been viewed 32 times

  • 1.  ClearPass Admin Login using External TACACS+ Server issue

    Posted Jul 18, 2019 07:35 PM

    I am having an issue gettting admin accounts to work using an external TACACS+ server.  I have followed the guide here and entered the TACACS server IP and shared secret on the cluster-wide parameters, but whenever we try to login to GUI/CLI with TACACS credentials it is getting denied.  Access Tracker shows the login requests hitting the default [Policy Manager Admin Network Login Service] where it checks the Local User and Admin User repositories and then sends a REJECT.  On the TACACS server side we dont see any authentication requests coming in from ClearPass.  Is there something else I need to do in order to get this working?  Is the only config required for this to put in the TACACS server IP and shared secret?



  • 2.  RE: ClearPass Admin Login using External TACACS+ Server issue

    EMPLOYEE


  • 3.  RE: ClearPass Admin Login using External TACACS+ Server issue

    Posted Jul 19, 2019 10:58 AM
    This guide is for configuring ClearPass to be a TACACS server, I want to use an external (not clearpass) TACACS server to authenticate admin logins on ClearPass. The guide linked in my original post should be the relevant one, and I followed it, but it doesn’t seem to be working.


  • 4.  RE: ClearPass Admin Login using External TACACS+ Server issue
    Best Answer

    EMPLOYEE
    Posted Jul 19, 2019 04:03 PM

    Hi,

     

    What is the ClearPass Version?

    External TACACS server can only be used for GUI and not for CLI/SSH till ClearPass 6.7.x. 

    The ClearPass server follows the order,

    • Local Admin Repository
    • and then try the external/remote TACACS Server
    • and then generates a TACACS request locally.

     

    If you see the login request hitting the default service "[Policy Manager Admin Network Login Service] " in the local server, then the ClearPass is not able to reach the external server or the external server rejected/dropped the request. 

    You can run packet capture from the ClearPass server to confirm whether the TACACS auth request to the external server is being sent or not.

     

    Navigation to Run Packet capture - Administration >> Server Manager >> Server Configuration >> Collect Logs >> Check the box "Capture network packets Duration of dump" (ensure all ther other boxes are not checked). 



  • 5.  RE: ClearPass Admin Login using External TACACS+ Server issue

    Posted Jul 19, 2019 06:16 PM

    Ok this is info I was looking for I guess, external CLI/SSH authentication against an external TACACS+ server is not supported.  I also confirmed this with a packet capture as you suggested (ClearPass is version 6.8.1): when logging into the ClearPass GUI it will communicate with the external TACACS+ server, however when logging into ClearPass via SSH it does not send anything to the TACACS+ server.



  • 6.  RE: ClearPass Admin Login using External TACACS+ Server issue

    EMPLOYEE
    Posted Jul 19, 2019 06:38 PM

    Yes, the behavior is the same in 6.8.x :)