Security

Hey there,

So, I am using CPPM for TACACS+ authentication with our Cisco infrastructure... Works great... I can configure CPPM to place me ether into userexec mode or privilagedexec mode directly with no issues... Authenticates with AD perfectly... I was curious though, if anyone knows how to configure ClearPass Policy Manager to be used for the enable password on, say a Cisco switch...? On a Cisco switch I would configure this AAA line:  

aaa authentication enable default group tacacs+ local

Per the above config, the Cisco switch will forward enable mode password requests to CPPM, but where in CPPM do I enable it to accept this? I can see under "Devices" there is a tab for CLI that has a Enable Password section, but I don't think that is the correct way to configure this...

Thanks in advance!!

FYI, we are running CPPM 5.2...

Thanks!

Edit:

Nevermind.  Wrong answer.

To clarify, you want to forward the Enable Password Request to CPPM so that CPPM responds with the enable password?

 I had seen this setup with FreeRadius outside of CPPM at one time, and I seem to remember a username being created in a local DB (username would show up in that failed request in Access Tracker) with a password of the enable password.   When you enable the above command on the Cisco side, what do you see in Access Tracker for that failed attempt?   It should show you a username logon attempt; does it show a service type of Nas-Prompt-User?     

If you can get this from a failed attempt in Access Tracker; maybe you can then create a Service around that user/service type and a corresponding Enforcement Profile of type TACACS+ Based Enforcement; returning a Privilege Level of 15 and Selected Services as Shell.   Again, I have not done this before, but just trying to match up CPPM to a traditional FreeRadius configuration.

To answer cjoseph, yes, you are correct... I want CPPM to be used for sending Cisco infrastructure authentication on to AD, and I also want CPPM to authenticate the enable password (via a local account like clembo said) if possible...

Thanks clembo for your great points... here is what I see when I, after entering the enable password on a Cisco switch with the AAA command above entered, within CPPM:

Incorrect password for user='xxx' @ Active Directory(dc.ourdomain.com).
Failed to authenticate user=xxx

So it looks like CPPM is matching the enable password authentication request to the same rule that is used for AD authentication... Would I need to create another Service (above the AD service), like you said clembo, and have that refer the enable password request to a local account?

Thanks for your help!

One more clarification... when I authenticate to a Cisco switch and it matches correctly on the TACACS AD auth rule and I get into the switch... I then try and go into enable mode and, where with the previous post I tried using the local enable password, I just now tried using my AD password for the enable password and this is what it said in the log:

Authentication Request Messages
Error Category:  Tacacs authentication
Error Code:  Authentication privilege level mismatch

Alerts for this Request :
Tacacs server Requested priv_level= greater than Max Allowed priv_level=

Any ideas?

Sorry for the repeated postings... :smileyhappy: But I thought I should clarify, I would prefer that the enable password is local to CPPM verses using my AD password...

Thanks!

Any other ideas? I am able to get the enable password authentication request to work through CPPM, alas, it is my AD password, which I just entered for user-mode authentication... So, currently, I can authentication via CPPM and also authenticate the enable PW as well through CPPM, but I don't want the enable password to be derived from AD, I want the enable PW to be a local account on CPPM instead, thus making it, A) more secure per it being a different PW then my AD and B) not the local(to the device) enable PW per if I want to change the enable PW, I wouldn't have to do it on each individual device, I could just go into CPPM and change it once for everything... Does that make sense?

When I watch the logs when I authenticate with the enable PW, it show's an authentication request that looks identical to the initial username\password authentication on the switch... So, I am not sure how I\ if I could create a separate service that would somehow catch the enable authentication part and point it to a local Username\Password...

Thanks for your help!

Okay.  Let's be clear:

What is the purpose of a machine entering an enable password if you don't want someone to have exec privilegees?

Everyone that is in an AD group that you want to have Exec privileges, just let CPPM return privilege 15.  Everybody else, do not, and just allow them to have a subset of privileges.  That way nobody knows the enable password.  What else do you want to accomplish and how many levels do you want to enforce?

eyeofthebeholder,

Sorry, I can't answer your question. More or less I am trying to get to where you are at now. We are tying to do a PoC on using ClearPass TACACS as an ACS replacement. I do not see too many detailed guide to the TACACS service config. Just some general stuff on the features but no REAL examples.

The enforcement profiles & polices are very "grey" when it comes to info on TACACS, so I am curious what you setup???

Can you share some of your setup steps to help me along?

Thanks

Vinsona,

Please consult the "Deploying a TACACS Service" technote here:  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=7658

Thanks for the link Colin,

This is helpful but I am still a little fuzzy on the Role Mappings. There are a few "pre-installed" role mapping for TACACS in CPPM. While I see the name "TACACS SUPER ADMIN" am I to assume that role would provides level 15 access to my Cisco devices? The description says "Super admin access for Policy Manager Admin" so I thought this was just for ClearPass?

Basically, I am not sure how/where/what to configure to allow users matching a role to be assigned the proper priv levels for the TACACS devices.

thanks

You should look at the CPPM policy model document here:  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=7849

It explains what each module is for.  It is easier to create something from start with the QuickStart link and Create a TACACS Service from scratch.

Anything built-in for TACACS is simply for management authentication to the CPPM box and should not be used.