Security

I setup a TACACS service to authenticate and authorize logins to a BCF controller.  The authentication  passes but I'm getting an alert about authorization is failing.  The alert error is "Tacacs service=shell:ip not enabled"; see attached pic for whole error.  Any thoughts?

Is authentication working without authorization?

Navigate to the specific TACACS+ Enforcement profile in use and navigate to Services tab. Under Selected services, make sure 'Shell' is selected and try again. If this does not work, you may need to create and import a new TACACS dictionary(in xml) with the name 'shell:ip' that will have the attributes that Big Cloud Fabric controller is looking for. 

To import a TACACS dictionary, you may navigate to Administration --> Dictionaries --> Import. To get the xml tags, you may export any of the existing TACACS dictionary and replace its name and the attribute specific for this case.

That did the trick!  Thanks Vince.

In the "TacacsServiceDictionary" line, the name attribute was "BigSwitch".  I changed this to "shell:ip" and imported it.  Here's the whole thing for anyone that may have the same issue:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Wed Feb 10 21:15:00 CST 2016" version="1.0"/>
<TacacsServiceDictionaries>
<TacacsServiceDictionary dispName="Big Switch Networks" name="shell:ip">
<ServiceAttribute dataType="String" dispName="BSN User Role" name="BSN-User-Role"/>
</TacacsServiceDictionary>
</TacacsServiceDictionaries>
</TipsContents>

Thanks for this post...I'm trying to do the same, and followed these steps and still having issues.

CPPM active monitoring shows that there is successful authentication, but BCF login fails on the Big Switch side. Not sure if the enforcement policy is pushing an unknown attribute or not, but not working. 

Also, in the BCF controller, the TACACS server shows offline...although it is actually hitting the CPPM...so could be an issue with the BCF controller. Any help is appreciated. Thanks!

Hi David,

1. Did you import the Big Switch dictionary to CPPM as mentioned in the comment #3?

2. Do you see any alert in the CPPM access tracker during the authentication attempt?

3. If there is no alert, please check the Output tab in the access tracker for the radius attribute that CPPM enforced and let us know. 

Thanks for the reply.

1. Yes, I did import the dictionary to CPPM.

2. In access tracker, I see that the my AD credntials get authenticated fine; on the BCF controller though, it gives me an access denied...so I'm thinking the BCF controller isn't liking an attribute given

3. There is no output tab for the TACACS source in access tracker...at least when I tried pulling it up. I cannot see anywhere for TACACS in Access tracker the attributes given. I can see it for Radius profiles that we have setup for other purposes. 

Thank you

Thanks for this post - I had a similar issue with another vendor (Gigamon) who supplied an XML, with the name attribute set to name="Gigamon:unknown" - I had to edit to "name=shell:unknown"

No doubt a bug, and when I upgrade the device it'll stop working :-)

This would have taken me a lot more time to work out on my own!

Hey guys,

Thanks for all the information in this thread. I've come back to this as the Big Switch switches are now in production. 

I have the admin access working via ClearPass tacacs. I am having trouble now with read only access. I have an Enforcement Profile being hit, which is what I want, but it's still allowing Admin access to make changes. Please see below:

I have changed the privledge level to 0 and 1 and 15 and that didn't seem to do anything (broke at 0 as it was lower than what was being requested by Big Switch, which was "1"). When I do a "whomai" on big switch, it shows that I am in the "admin" and "read-only" groups....not sure why.

Anyone figured out how to do this?

Thanks!