Security

Reply
New Contributor

Clearpass, different TACACS roles based on local user

Currently we have a working configuration within CP 6.6.10 that allows local users to autneticate into F5 devices and they are assigned the correct role via passing that role through TACACS.

 

Need to understand he proper way to now allow certain CP local users access to the same F5 but with a different F5 role.  I defined it within F5 and setup the CP profile/policies but cannot figure out how to split the local users.  Attempted a new service but that does not seem to differentiate between users and tried to do it within the same service with no luck.

 

Appreciate advice.  Thank you.

Highlighted
Guru Elite

Re: Clearpass, different TACACS roles based on local user

What data is available to differentiate the users? You would just write enforcement rules based on that data that returns the appropriate enforcement profiles.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Clearpass, different TACACS roles based on local user

Roles was the only difference and was attempting to use that.  Went ahead and defined "Designation" for each of the teo different user types. Set up the rules to reference those in the enforcement but still authenticating incorrectly.

 

Service TACACS F5 Admin

  Service policy points to device group (all F5)

  Enforcement points to policy that specifcies localuser designation = X

 

Service TACACS F5 App

  Service policy points to device group (app F5)

  Enforcement points to policy that specifcies localuser designation = Y

 

If service TACACS F5 Admin is ordered first all users auth as Admins

If Service TACACS F5 App is ordered first all users auth as Operators

 

So the Enforcement policies are setting the correct roles, just not honoring the enforcement criteria.

New Contributor

Re: Clearpass, different TACACS roles based on local user

Got it working by deleting the app service and just adding the additional enforcement to the single F5 TACACS service

 

Service TACACS F5

  Enforcement X points to policy that specifcies localuser designation = X

  Enforcement Y points to policy that specifcies localuser designation = Y

 

Appreciate the assistance

 

New Contributor

Re: Clearpass, different TACACS roles based on local user

Now I have reverse problem, this user has access to other TACACS services.  What is the easiest way to deny them?  Trying to use the enforcement policies but does not appear to be working (yet)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: