Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TACACS service on ClearPass

This thread has been viewed 10 times

  • 1.  TACACS service on ClearPass

    EMPLOYEE
    Posted Jan 08, 2019 04:02 PM

    Hello,

     

    Customer using ClearPass with Cisco switches had the following question.

     

    " For the tacacs service in ClearPass, when there is no service match, our Cisco devices do not fallback to local authentication, because the tacacs server is still running and replying back to the device it appears. Is there a way to circumvent this in the event that there is no service match and to simply not respond? "

     

    To my understanding till ClearPass is alive switch will not fallback to local authentication. 

    Posting this question to confirm if there was a way around to customers ask.

     

    Thanks in advance,

    Kandhla

     

     



  • 2.  RE: TACACS service on ClearPass

    Posted Jan 08, 2019 09:00 PM

    This is how Cisco IOS works unfortunately. There is nothing much you can do on ClearPass for this issue. As far as TACACS server is reachable, Cisco IOS will not fallback to local authentication. As a workaround, can you try putting local auth ahead of TACACS:

    aaa authentication login default local group tacacs+



  • 3.  RE: TACACS service on ClearPass

    EMPLOYEE
    Posted Jan 09, 2019 03:45 PM

    Not sure if putting local authentication first would be the best alternative. 

     

    Thanks for the response.

     

    -Kandhla