Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Using CPPM for TACACS Authentication of Cisco Devices

This thread has been viewed 2 times

  • 1.  Using CPPM for TACACS Authentication of Cisco Devices

    Posted Jul 19, 2015 02:24 PM

    Hi All,

     

    We would like to use our Clearpass Server connected to our AD to do TACACS authentication for our cisco switches and routers.

     

    I have followed the guide here:

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Configuring-TACACS-on-ClearPass-for-Cisco-switches/m-p/207431#M15726

     

     But I have some questions:

     

    1. where should i define the cisco switches ip?

    • enforcement service rule as i have done below
    • or in the enforcement profile's device group list

    2. In our cisco switches, I have to configure a TACACS key, but I cannot find anywhere in the guide where will it be configured in our clearpass.

     

    3. We want to define in our clearpass the list of AD IDs allowed to access the switches.

    • Do I have to add one enforcement policy rule for each username?
    • or any other way I can do it?

     

    Configuration done in our clearpass server:

     Created Enforcement Profile
    Created Enforcement Policy
    Created Enforcement Policy Rule -> Authorization:XXX-AD:UserDN  CONTAINS  rowell)

    Created TACACS+ Enforcement Service
    Added TACACS+ Enforcement Service Rule -> Connection NAD-IP-Address EQUALS x.x.x.x
    Added Authentication Sources: XXX-AD
    Added Enforcement Policy

     

     

    Thanks and more power to all.



  • 2.  RE: Using CPPM for TACACS Authentication of Cisco Devices
    Best Answer

    EMPLOYEE
    Posted Jul 19, 2015 02:27 PM

    1+2) Both the IP and key go under Configuration > Network > Devices. You add each one in with the IP and key

     

    3) Use role mapping to map groups/OUs, etc to TACACS tips role. Then reference those TIPS roles in your enforcement policy. There are built-in TIPS roles you can use, just build a role map for them.



  • 3.  RE: Using CPPM for TACACS Authentication of Cisco Devices

    Posted Jul 19, 2015 02:38 PM

    thanks for the quick reply.

     

    After creating the device/s, shall I create device group and add it in the enforcement profile device group list? Configuration » Enforcement » Profiles » Edit Enforcement Profile  » device group list 

     

    Or add it where?



  • 4.  RE: Using CPPM for TACACS Authentication of Cisco Devices

    Posted Jul 20, 2015 05:18 AM

    Let me know Santi is this TACACS works for you. It isn't working for me, ClearPass only gives Prev level 15 regardless of what I put in the policy. i.e I have it where if you are a member of the AD domain admin group the profile is "prev 15" and if you are a member of the AD group helpdesk then you get the "prev 1" profile but so far both group members are getting prev level 15 when logging in to a cisco switch.

    tried couple things but can't get ClearPass to push back  prev levels to the switch.



  • 5.  RE: Using CPPM for TACACS Authentication of Cisco Devices
    Best Answer

    EMPLOYEE
    Posted Jul 20, 2015 05:51 AM
    @--santi-- wrote:

    thanks for the quick reply.

     

    After creating the device/s, shall I create device group and add it in the enforcement profile device group list? Configuration » Enforcement » Profiles » Edit Enforcement Profile  » device group list 

     

    Or add it where?

    Santi,

     

    Please look at the ASE configuration here:  https://ase.arubanetworks.com/solutions/id/80