Security

Reply
Occasional Contributor II

TACACS Auth Against AD with Local Database backup.

I currently have my network devices configured to point to Clearpass for TACACS auth to allow users to access and manage routers/switch.  Clearpass will get the AAA request and send it to the Windows DC to validate the windows creds.  I ran into a problem where the Clearpass to Domain Controller communication was broken.  As a result, I couldn't authenticate properly to gain access to my network gear.  At the same time, my network gear wouldn't let me use a local account on the gear because from it's perspective the AAA Server was up.  How can I create an account local to the clearpass server that we can use in the event communication between the Clearpass and Domain controllers are down. 

Aruba Employee

Re: TACACS Auth Against AD with Local Database backup.

Hello ncustod,

 

In this case, what you could do is, have a backup server configured for the AD in the Authsources. two things might happen if the primary authsource (AD) goes down.

 

1. If Clearpass is not able to establish a TCP session, with the AD. It will realise that the AD is down and will move on to the backup AD right away and the auth will work.

2. If Clearpass is able to establish the TCP session. in this case, you could configure the Authentication server timeout to 2 secs, in the Authentication sources on Clearpass.  default is 10 seconds, it will timeout at 2 seconds and perform auth with the backup server.

 

You cannot use, Local creds on Clearpass, automatically upon the failure. the only automatic redundancy is mentioned as above. Alternatively, if you are ok with manaul intervention, if the users are failing AD auth, you could create the local user accounts for them on the devices directly or on the clearpass,  Users can use local creds on the devices to login, when AD auth for them doesnt work. For the users created on the Clearpass you will need to do some configuration change on the clearpass.

-If you got what you need with my answer please give kudos and mark it as solution.
Occasional Contributor II

Re: TACACS Auth Against AD with Local Database backup.

So I can't create a local user account. 

Add local (local user repository) DB as an authentication source under the TACACS service then create a role for that condition and position it at number one?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: