Security

Reply
Aruba

Re: Configuring TACACS+ on ClearPass for Cisco switches

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Accounting-with-Cisco-switch/td-p/173028

 

Switch(config)# tacacs-server host 172.16.16.200 key aruba123 (Note that in some versions of IOS the key must be entered on a separate line of config: tacacs-server key aruba123)

 

Next we setup AAA authentication:
Switch(config)# aaa authentication default group tacacs+ local 
Switch(config)# aaa authentication enable default group tacacs+ enable 
This tells the switch that, for login attempts, to first look at TACACS, if that is unreachable, use the local database. When a user types "enable" to gain privileged mode access to first check TACACS and if that is unreachable, use the locally stored enable password or secret.

 

Now we setup AAA authorization for commands:
Switch(config)# aaa authorization commands 0 default group tacacs+ none 
Switch(config)# aaa authorization commands 1 default group tacacs+ none 
Switch(config)# aaa authorization commands 15 default group tacacs+ none 
This sends all commands entered at the privilege level 0, 1 and 15 to the configured TACACS server(CPPM) for authorization and failing that, it disallows the command.

 

Levels 0, 1 and 15 map to the following:

  • level 0—Includes the disable, enable, exit, help, and logout commands
  • level 1—Includes all user-level commands at the router> prompt
  • level 15—Includes all enable-level commands at the router# prompt


Lastly, if you want to audit Cisco config commands:
Switch(config)# aaa authorization config-commands 
This instructs the switch to run all config level commands through tacacs for authorization.

Be a good little Cisco admin:
Switch(config)# exit
Switch# write mem

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

I followed the ASE and imported the XML file into CPPM.

 

I'm running into an issue where I'm able to Authenticate but authorization fails. 

 

The 3750 switch comes back with "tacacs authorization failed"

 

I'm attaching a couple of screenshot of the CPPM logs.

 

What am I missing here?

 

Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

looks like an earlier user posted a similar problem

 

I went and did a debug on the switch.

 

Mar 30 07:06:31.213: AAA/BIND(00000041): Bind i/f
Mar 30 07:06:32.773: AAA/AUTHOR (0x41): Pick method list 'default'
Mar 30 07:06:32.782: AAA/AUTHOR/EXEC(00000041): Authorization FAILED
labtest_sw_3750x#

 

I get this...

 

 

 

Highlighted
Aruba

Re: Configuring TACACS+ on ClearPass for Cisco switches

per your screen shot you are returning a aruba not cisco response
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba

Re: Configuring TACACS+ on ClearPass for Cisco switches

Also it looks like you are hitting the wrong service
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

I did see that and it was confusing me as to where that might have been misconfigured given that I imported the generated XML file from the ASE page.  

 

What is an interesting behavior that I just noticed this morning is that I am passing Authentication with no need for Authorization when I log in via console (is this normal)?

 

See the attached screenshot for the successful authentication via console to the Cisco switch

 

attached here

 

 

Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

Troy,

 

Here are the screenshots of the relevant sections in CPPM.  How do I troubleshoot or make modifications to return a Cisco response as oppose to an Aruba response (I don't think this is a switch configuration issue)

 

Also I checked all the sections and I can't find where I can modify to change the service (where you mentioned I am hitting the wrong service)

 

 

Aruba

Re: Configuring TACACS+ on ClearPass for Cisco switches

You need either move the service above the aruba device auth or make the aruba auth more restrictive.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

Troy,

 

Thank you for taking the time to help me, I do appreciate it as I am brand new to Clearpass and I'm evaluating the product for our internal use.

 

I think I understand what you are saying, I am stuck however at the particular section of the configuration in CPPM where I can move the service above the Aruba device Auth.  What is also throwing me off is that it works if I console into the switch (which doesn't include authorization based upon the logs) but with SSH, authorization is failing.

 

If you look at the screenshot that I attached, I can't edit the "Aruba device access policy" because it is a default entry (to make it more restrictive) and I am not sure how I can move up the "Cisco Wired" policy above the Aruba device access policy.

 

Occasional Contributor II

Re: Configuring TACACS+ on ClearPass for Cisco switches

So I fixed the issue.  I was able to re-order the services.  

 

I'm now trying to tackle AAA command authorization.  I have one profile where I am allowing Privilege level 15 with all the commands available.

 

I now want create a "NOC" user with only certain commands available to this user.  I created a 2nd enforcement profile. 

 

I'm attaching the screenshot.  I created an enforcement profile called "NOC_Profile"

 

Type: TACACS

Services:

Privilege Level: 1

Selected Services: 1. Shell

 

Service Attributes 

Type: Shell

Name: priv-lvl

Value = 15

(so that when user NOC logs-in, the user is placed directly into "enable" mode)

 

Commands:

Command: Show version

Arguments: show version

permit action: Permit

Unmatched Arguments: Permit

 

Am I configuring the Authorization commands wrong?

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: