Security

Reply
New Contributor

Tacacs authorization for same user with dfferent roles to different device groups

Hi Team

Could you please help in understanding this Tacacs question. 

 

  1. Is it possible to give different level of access based on device type to the same user?

Ex:  testuser1  should have read only access to all cisco devices maintenance access for juniper devices . We are using Active directory as AUthentication source. Testuser1 is a member of Readonly and Maintenance groups in Active directory.

 

In the CPPM , defined the Juniper maintenance role and Cisco readonly role. and did role mapping using device groups and AD groups.

(Authorization:test-AD:Groups  EQUALS  tacacsreadonly) 
AND  (Connection:NAD-IP-Address  BELONGS_TO_GROUP  device-group_Cisco)
CP-Readonly Cisco role
(Authorization:test-AD:Groups  EQUALS  tacacsmainrenance) 
AND  (Connection:NAD-IP-Address  BELONGS_TO_GROUP  device-group_Cisco)
CP-maintenance Cisco role
(Authorization:test-AD:Groups  EQUALS  tacacsreadonly) 
AND  (Connection:NAD-IP-Address  BELONGS_TO_GROUP  Devicegroup-Juniper
CP-Readonly  Juniper role
2.(Authorization:Test-AD:Groups  EQUALS  tacacsmaintenance) 
AND  (Connection:NAD-IP-Address  BELONGS_TO_GROUP  Decicegroup-Juniper)
CP-maintenance Juniper role

and created enforcement policies using device groups and TIPS role.

 

But i am stuck where can we specify user1 is a member of readonly@cisco device group and maintenance@Juniper device group.

 

Thanks

Yada

Frequent Contributor II

Re: Tacacs authorization for same user with dfferent roles to different device groups

Hello,

 

You are almost done. now you are only needed to create two enforcement profile's :

 

1.  To match a read-only role on the Cisco switch.

2.  To match a management authorized role in Juniper switch. 

 

Map these enforcements in the enforcement profiles, accoridingly on clearpass, Clearpass will return that role to the switch, when the user authenticates, accordingly.

 

hope this helps.

 

--

 

-If you got what you need with my answer please give kudos and mark it as solution.
New Contributor

Re: Tacacs authorization for same user with dfferent roles to different device groups

Hi Fayyaz

 

Thank you for your response.

 

I already created  Cisco read only profile, cisco maintenance profile, JUniper readonly profile and cisco maintenance. and i created enforcement policies based on Tips role and device type is cisco, if readonly role- action is cisco readonly, maintenance cisco maintenance and similaryly for Juniper. 

 

and i combined all this in cisco service, juniper service.

 

My basic question is at the AD level user is assigned to both read only and maintenance groups. When the request comes to the device then how will the device know to go for readonly or maintenance?  It is currently taking the first one in the list.

Where can we specify user1 is a member of readonly@cisco device group and maintenance@Juniper device group.

 

Thanks

Yada

New Contributor

Re: Tacacs authorization for same user with dfferent roles to different device groups

Hi Yada, 

You can accomplish this in a number of ways.

1. Create a new AD group for Cisco Read-Only, Cisco Maintenance, Juniper Read-Only, Juniper Maintenance and add only the users that need the required access

2. In ClearPass, you can nest conditions in your Enforcement Policy Rules that will check the following:

  • Device - The Network device will be added into a Network Device Group to allow for the proper identification
  • AD User group - Check the memberof group to see if the user is a member of a group with access
  • AD username - this one is extremely specific and would require multiple rules should you have multiple people this applies to

Here is what a rule might look like for a Cisco device and a user with the username user1 who belongs to the Cisco ReadOnly AD group

image.png

The Role mapping is where you would apply these roles and this is what that might look like:

image (2).png

My suggestion would be to use the convenience of Active Directory and have a specific group with specific people in those groups. This will keep administrative upkeep at a minimum and keep the rulesets cleaner. 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: