Security

I'm trying to set up our new Cisco UCS system for RADIUS authentication pointing to ClearPass.  Anybody done this before? Any specific documentation about AV pairs or what to return for a passed authentication? I'm getting mixed results doing Google searches and it doesn't look like this one is built into ClearPass.

Have you tried creating a RADIUS enforcement profile using the following:

Using Radius:Cisco > Cisco AVP Pair > shell:<context-name>=<Role-name>

Found it...Victor was close:

Source: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-0/b_UCSM_GUI_Configuration_Guide_2_0/b_UCSM_GUI_Configuration_Guide_2_0_chapter_0111.html
The vendor ID for the Cisco RADIUS implementation is 009 and the vendor ID for the attribute is 001.
The following syntax example shows how to specify multiples user roles and locales if you choose to create the cisco-avpair attribute: shell:roles="admin,aaa" shell:locales="L1,abc". Use a comma "," as the delimiter to separate multiple values.

Any thoughts on how to do this with TACACS?  In a migrating Cisco ACS config, they are using TACACS for authentication, and then sending a cisco-av-pair with the aforementioned shell profiles.  In ClearPass, it does not appear possible to send a VSA when TACACS.  The cisco-av-pair exists in a RADIUS dictionary, not a TACACS dictionary.   Reference https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Admin-Management/3-1/b_Cisco_UCS_Admin_Mgmt_Guide_3_1/b_Cisco_UCS_Admin_Mgmt_Guide_3_1_chapter_0100.html on how Cisco shows this being required.  If one does not pass this role, the UCS role will either prevent login or end up read-only.

Thanks!

Gary

Hi,

You can create a TACACS+ dictionary and with the attribute cisco-av-pair and return the attribute with the required value through an enforcement. Export one of the existing TACACS+ dictionary and follow a similar format to create a new one.

You could work with TAC and get assistance with the TACACS+ dictionary if needed.