Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Getting TACACS+ to work with Cisco ACS

This thread has been viewed 2 times

  • 1.  Getting TACACS+ to work with Cisco ACS

    Posted Sep 28, 2016 02:10 PM

    I am trying to get my controllers to use my Cisco ACS (v 5.6.0.22) to allow admin login. I have the controller side of things configured with a matching password and defining the TACACS server as outlined below..

     

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/TACACS-Session-Authorization/td-p/33536

     

    I have the Aruba-Admin-Role=root and the device set but the issue I am having is finding where on the ACS that I set the matching rule for the part outlined below.

     

    "The request will include two fields, which you'll need to configure on the TACACS server as a matching rule:

      service=aruba

      protocol=common"

     

    Anyone have any experience with this product and can point me in the right direction?

     



  • 2.  RE: Getting TACACS+ to work with Cisco ACS

    EMPLOYEE
    Posted Sep 28, 2016 02:52 PM

    Quite frankly, all you need is a positive response from the Tacacs server and the controller will let you in.  Have you already accomplished that and you want to fine tune the roles?

     



  • 3.  RE: Getting TACACS+ to work with Cisco ACS

    Posted Sep 28, 2016 04:41 PM

    I seem to be having issues just getting the darn ACS to respond. I have added the tacacs server under the Security > Authentication>Servers tab. I have checked and double checked that the keys are correct and tried both ports 49 and 4949. If I dont have to mess with all those other settings and I should be getting the default root group assigned to an approved connection I am not sure what else I need to be doing.



  • 4.  RE: Getting TACACS+ to work with Cisco ACS

    EMPLOYEE
    Posted Sep 28, 2016 06:41 PM

    Here is a pic of the minimum parameters you need configured.  Please ignore that a radius server, NPS is configured.  You just need to have a TACACS server in its place in the server group.

    radius.png

     



  • 5.  RE: Getting TACACS+ to work with Cisco ACS

    Posted Sep 29, 2016 11:50 AM

    Thank you for the reply, I have the Aruba side configured and set up and if I do a test from the diagnostic tab to the server I can see communications to the ACS. I am thinking I have something not cofigured correctly on the ACS. I added a custom attrabute of Aruba-Admin-Role but it does not seem to work. Do I even need that and if not what common tasks do I need to add. 

     

    I gues what I am looking for is what do I need to set on the ACS side to get it to work with Aruba equipment? Any guides online that I can look at?



  • 6.  RE: Getting TACACS+ to work with Cisco ACS

    Posted Apr 16, 2018 07:32 AM

    Hi,

    Did you fixed the problem? Because I have the same issue. Authentication is working but authorization is not working.