Security

Reply
Frequent Contributor I

Clearpass with Arista CVP

Hi Community,

 

i want to share with you the feedback how to get CVP (Cloudvision Portal) running with CPPM (6.7) over Tacacs+ Service. Normally you get the network-operator role if you successfully authenticate. If you need the network-admin cvp-role you need to follow these steps:

 

Pre-Konfig:

You have CVP configured with shared secret to CPPM

 

Now, create a Tacacs Dictonary "Addon" to the shell.

 

Go to Administration-> Dictonarys -> Tacacs+ Services. Mark the "shell" and Export the XML.

 

Add the follow line

 

<ServiceAttribute allowedValuesCsv="network-admin" dataType="String" dispName="cvp-roles" name="cvp-roles"/>

 

above the last one:

 

   </TacacsServiceDictionary>
  </TacacsServiceDictionaries>
</TipsContents>

 

so it looks like:

...truncated...

      <ServiceAttribute allowedValuesCsv="network-admin" dataType="String" dispName="cvp-roles" name="cvp-roles"/>
    </TacacsServiceDictionary>
  </TacacsServiceDictionaries>
</TipsContents>

 

in the end.

Import those XML again and make sure CPPM got it. Then Create a Tacacs+ Enforcement Profile that looks like this:

cvp.PNG

Be careful that you use REPLACE, otherwise it will be the default operator.

Add this enforcement to you Tacacs Service or create a new one only for CVP.

 

Ill hope this helps. If you want to extend the system with more roles you have to add more XML Lines, each one for a new role that matches the cvp role.

 

Thanks to Aruba/Arista TAC.

ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: