Security

Hi everyone--I'm still trying to get a handle on how to configure things in the Aruba controllers (used to the Cisco way of things...), and I'm trying to figure out how to configure TACACS to do my AAA.  In our other controllers, it's working fine, but there was no documentation left by the person who set them up a while ago...

 

Does anyone have a document that breaks it down?  Everything in ACS is ready to go, just need to get an idea of what to do in the Aruba side of things.

 

thanks all!

 

SJ

I don't have a guide, but I can provide some commands:

 

### CONFIGURE YOUR TACACS SERVERS

 

aaa authentication-server tacacs "TACACS-SERVER-A"
   host 10.10.10.10
   key XXXXXX

 

 

### PUT YOUR TACACS SERVERS INTO A SERVER GROUP

 

aaa server-group "TACACS-SVR-GROUP"
 auth-server TACACS-SERVER-A
 auth-server TACACS-SERVER-B

### ENABLE TACACS FOR MGMT ACCESS AUTHENTICATION

 

aaa authentication mgmt
   server-group "TACACS-SVR-GROUP"
   default-role "no-access"

   enable

 

### ENABLE TACACS ACCOUNTING

 

aaa tacacs-accounting server-group TACACS-SVR-GROUP  mode enable command configuration

(options for command are: action, all, configuration, show)

Cool.  I'll try it and let you know.

 

Thanks

 

SJ

So i put the commands in, and i'm still not able to use my active directory login...local account works (*sigh of relief*), but i'm still trying to understand why it wouldn't work...commands seemed to take with no issue.

ACS may use MS-CHAP-v2. You can enable that under aaa authentication mgmt and then enter mschapv2.

 

You can look at the security log on the controller with the following command:

 

show log security all | include authmgr

 

 

This is a new one...

 

Aug 28 01:32:30 :199802:  <ERRS> |authmgr|  tacplus.c, tacplus_api:49: Invalid a                                                                             uthentication protocol for TACACS+

 

ACS didn't show any requests at all from this particular device...looks like a call to Aruba TAC may be in order unless you have any insight into the issue at hand now...

 

Really appreciate the help.

Try enabling MS-CHAP-v2.

 

Under aaa authentication mgmt, enter mschapv2

hmm...still no luck.  i'll open a ticket with TAC and post once we figure out what's happening so that hopefully between your instructions and whatever the final fix is, the next person will have a lot less trouble.

 

Thanks Brad

 

SJ

Try chaning the default TACACS port from 49 to 4949.  To go with the previous explanation see the command below.

 

aaa authentication-server tacacs "TACACS-SERVER-A"
 host 10.10.10.10
 key XXXXXX

 tcp-port 4949

anybody ever get this to work. im testing a mas s3500 now and just getting timeouts to our cisco acs tacacs server. thanks