Security

I would like to use ClearPass to configure TACACS+ for Cisco switch authentication to Windows Active Directory.

Does anyone have any advice or documentation on how to do this?

You can use the start here and at the top there is a link to use the 1. To generate sample Services for common use cases, go here. this has sample TACACS.

Im currently working on one for ASE and will post an update when done.

https://ase.arubanetworks.com

I can't find the TACACS article.

Please update once you have completed it :-)

The solution is now posted on ASE.

 

https://ase.arubanetworks.com/solutions/id/80

 

 

Awesome, that looks great.

 

Quick question: If TACACS is unavailable, will the "Accounting" part of the configuration still allow a locally configured user account to logon and gain access to priviledged mode and config mode?

Yes it will fail through. If the server is unavailable then it will auth locally. You will just need to setup a local account on the switch also.

I've tried exactly the same config in a test scenario, and it doesn't work.

I get this:

 

Authorization Requests Messages
 Command - -
Error Message: No enforcement profiles matched to perform command authorization
Error Group: Tacacs authorization
 Alerts for this Request:

Tacacs server Tacacs service=shell not enabled

What model of switch and iOS?

Sounds like you don't have the proper settings in the enforcement.

Take a look at the screen shots in the hoe to and see if your enforcement matches. I've seen different variables used in different models and even iOS version. Unfortunately Cisco was not consistent on the return attribute that are needed.

3750 ... 12.2 IOS and 15 (I'm testing on 15).

 

 

 

 

As a matter of interest, what do these lines of the Cisco config actually mean?

 

aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

 

Thanks

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Accounting-with-Cisco-switch/td-p/173028

 

Switch(config)# tacacs-server host 172.16.16.200 key aruba123 (Note that in some versions of IOS the key must be entered on a separate line of config: tacacs-server key aruba123)

 

Next we setup AAA authentication:
Switch(config)# aaa authentication default group tacacs+ local 
Switch(config)# aaa authentication enable default group tacacs+ enable 
This tells the switch that, for login attempts, to first look at TACACS, if that is unreachable, use the local database. When a user types "enable" to gain privileged mode access to first check TACACS and if that is unreachable, use the locally stored enable password or secret.

 

Now we setup AAA authorization for commands:
Switch(config)# aaa authorization commands 0 default group tacacs+ none 
Switch(config)# aaa authorization commands 1 default group tacacs+ none 
Switch(config)# aaa authorization commands 15 default group tacacs+ none 
This sends all commands entered at the privilege level 0, 1 and 15 to the configured TACACS server(CPPM) for authorization and failing that, it disallows the command.

 

Levels 0, 1 and 15 map to the following:

• level 0—Includes the disable, enable, exit, help, and logout commands
• level 1—Includes all user-level commands at the router> prompt
• level 15—Includes all enable-level commands at the router# prompt

Lastly, if you want to audit Cisco config commands:
Switch(config)# aaa authorization config-commands 
This instructs the switch to run all config level commands through tacacs for authorization.

Be a good little Cisco admin:
Switch(config)# exit
Switch# write mem

I followed the ASE and imported the XML file into CPPM.

 

I'm running into an issue where I'm able to Authenticate but authorization fails. 

 

The 3750 switch comes back with "tacacs authorization failed"

 

I'm attaching a couple of screenshot of the CPPM logs.

 

What am I missing here?

 

looks like an earlier user posted a similar problem

 

I went and did a debug on the switch.

 

Mar 30 07:06:31.213: AAA/BIND(00000041): Bind i/f
Mar 30 07:06:32.773: AAA/AUTHOR (0x41): Pick method list 'default'
Mar 30 07:06:32.782: AAA/AUTHOR/EXEC(00000041): Authorization FAILED
labtest_sw_3750x#

 

I get this...

 

 

 

per your screen shot you are returning a aruba not cisco response

Also it looks like you are hitting the wrong service

I did see that and it was confusing me as to where that might have been misconfigured given that I imported the generated XML file from the ASE page.  

 

What is an interesting behavior that I just noticed this morning is that I am passing Authentication with no need for Authorization when I log in via console (is this normal)?

 

See the attached screenshot for the successful authentication via console to the Cisco switch

 

attached here

 

 

Troy,

 

Here are the screenshots of the relevant sections in CPPM.  How do I troubleshoot or make modifications to return a Cisco response as oppose to an Aruba response (I don't think this is a switch configuration issue)

 

Also I checked all the sections and I can't find where I can modify to change the service (where you mentioned I am hitting the wrong service)

 

 

You need either move the service above the aruba device auth or make the aruba auth more restrictive.

Troy,

 

Thank you for taking the time to help me, I do appreciate it as I am brand new to Clearpass and I'm evaluating the product for our internal use.

 

I think I understand what you are saying, I am stuck however at the particular section of the configuration in CPPM where I can move the service above the Aruba device Auth.  What is also throwing me off is that it works if I console into the switch (which doesn't include authorization based upon the logs) but with SSH, authorization is failing.

 

If you look at the screenshot that I attached, I can't edit the "Aruba device access policy" because it is a default entry (to make it more restrictive) and I am not sure how I can move up the "Cisco Wired" policy above the Aruba device access policy.

 

So I fixed the issue.  I was able to re-order the services.  

 

I'm now trying to tackle AAA command authorization.  I have one profile where I am allowing Privilege level 15 with all the commands available.

 

I now want create a "NOC" user with only certain commands available to this user.  I created a 2nd enforcement profile. 

 

I'm attaching the screenshot.  I created an enforcement profile called "NOC_Profile"

 

Type: TACACS

Services:

Privilege Level: 1

Selected Services: 1. Shell

 

Service Attributes 

Type: Shell

Name: priv-lvl

Value = 15

(so that when user NOC logs-in, the user is placed directly into "enable" mode)

 

Commands:

Command: Show version

Arguments: show version

permit action: Permit

Unmatched Arguments: Permit

 

Am I configuring the Authorization commands wrong?