Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass, different TACACS roles based on local user

This thread has been viewed 2 times

  • 1.  Clearpass, different TACACS roles based on local user

    Posted Feb 11, 2019 09:46 AM

    Currently we have a working configuration within CP 6.6.10 that allows local users to autneticate into F5 devices and they are assigned the correct role via passing that role through TACACS.

     

    Need to understand he proper way to now allow certain CP local users access to the same F5 but with a different F5 role.  I defined it within F5 and setup the CP profile/policies but cannot figure out how to split the local users.  Attempted a new service but that does not seem to differentiate between users and tried to do it within the same service with no luck.

     

    Appreciate advice.  Thank you.



  • 2.  RE: Clearpass, different TACACS roles based on local user

    EMPLOYEE
    Posted Feb 11, 2019 10:10 AM
    What data is available to differentiate the users? You would just write enforcement rules based on that data that returns the appropriate enforcement profiles.


  • 3.  RE: Clearpass, different TACACS roles based on local user

    Posted Feb 11, 2019 10:30 AM

    Roles was the only difference and was attempting to use that.  Went ahead and defined "Designation" for each of the teo different user types. Set up the rules to reference those in the enforcement but still authenticating incorrectly.

     

    Service TACACS F5 Admin

      Service policy points to device group (all F5)

      Enforcement points to policy that specifcies localuser designation = X

     

    Service TACACS F5 App

      Service policy points to device group (app F5)

      Enforcement points to policy that specifcies localuser designation = Y

     

    If service TACACS F5 Admin is ordered first all users auth as Admins

    If Service TACACS F5 App is ordered first all users auth as Operators

     

    So the Enforcement policies are setting the correct roles, just not honoring the enforcement criteria.



  • 4.  RE: Clearpass, different TACACS roles based on local user

    Posted Feb 11, 2019 11:09 AM

    Got it working by deleting the app service and just adding the additional enforcement to the single F5 TACACS service

     

    Service TACACS F5

      Enforcement X points to policy that specifcies localuser designation = X

      Enforcement Y points to policy that specifcies localuser designation = Y

     

    Appreciate the assistance

     



  • 5.  RE: Clearpass, different TACACS roles based on local user

    Posted Feb 11, 2019 11:37 AM

    Now I have reverse problem, this user has access to other TACACS services.  What is the easiest way to deny them?  Trying to use the enforcement policies but does not appear to be working (yet)