Security

last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass TACACs service setup

This thread has been viewed 23 times

  • 1.  Clearpass TACACs service setup

    Posted Jul 12, 2017 06:38 AM
      |   view attached

    Hi Community,

     

    I was wondering if you could advise me on how to setup a TACACs service on Clearpass.

     

    The TACACs service would be used to authenticate users who want to log into switches with their AD account. The switches are Alcatel switches.

     

    When I go to setup the service for TACACs. I select the “TACACS+ Enforcement” I am not sure how to setup the service rule/conditions that deals authentication requests coming from a device, but have come up with the following:

     

    Would this service rule work:

     

    Type=Authentication

    Name=Source

    Operator=BELONGS_TO

    Value= This would be a static host list that has been created

    I will then also enable “Authorization”

     

    The static host list would be created based on subnet.

     

    The authentication would then be AD

    The authorization would then be AD

     

    The roles would then be if “Authorization:AD:member of contains Technical”

     

    I am not sure what would be used for enforcement as when I go to create this I get the following. Please see attached picture. 

     

     

     

    What do I set for privilege level?

    What do I set for selected services?

    What do I set for authorize attribute service?

    What do I set for service attributes?

     

    What do I then set up for Enforcement policies?

     

    I hope the above make senses and you guys can advise me further?

     

    Many Thanks



  • 2.  RE: Clearpass TACACs service setup

    EMPLOYEE


  • 3.  RE: Clearpass TACACs service setup
    Best Answer

    EMPLOYEE
    Posted Jul 13, 2017 03:58 AM

    And another example for ArubaOS switch in this video:

    http://community.arubanetworks.com/t5/Video/Aruba-ClearPass-Workshop-Admin-Access-3-ArubaOS-switch-admin/ta-p/295525

     

    Alcatel switch manual is here. It doesn't mention special requirements, so returning privilege level 15 and service Shell would be my first try. Then under commands 'Permit unmatched commands'. That is the pretty basic. Some switches require more specific information, like in the video we had to add priv-lvl=15 as a Service attribute to skip the enable prompt; but that is for ArubaOS switches specific.

     

    Hope this helps you in the right direction.



  • 4.  RE: Clearpass TACACs service setup

    Posted Jul 21, 2017 06:49 AM

    Thank you for the suggestion. 

     

    I have tried this and it has worked straight away. 



  • 5.  RE: Clearpass TACACs service setup

    Posted Feb 03, 2020 12:09 PM

    For anyone else having issues with WLC login be sure you have tacacs servers defined for Authentication, Accounting and Authorization.  I was lacking authorization and it just kept bouncing back to login.

     

    Jeff