Wired Intelligent Edge (Campus Switching and Routing)

Reply
Contributor I

ArubaOS-CX Tacacs authentication

Hello,

 

Did anyone get tacacs authentication and authorization working in Clearpass for the ArubaOS-CX switches?

 

I setup clearpass and configured the switch as follows:

tacacs-server host 10.13.111.19 vrf default
aaa group server tacacs clearpass
server 10.13.111.19 vrf default

tacacs-server key plaintext mypasskey123
tacacs-server auth-type chap

aaa authentication login default group clearpass local

aaa authentication allow-fail-through

When I don't add the switch ip to the devices I get a message in the event viewer about a unknown NAD. Which is to be expected.

 

But when I do add the switch ip to the devices list with the key as defined in the switch I sometimes (almost never) see any messages anymore in the event viewer as well as the Access tracker.

 

I'm currently testing with ArubaOS-CX Version : TL.10.02.0001 and Clearpass 6.7.2

 

With kind regards,

 

Rens

 

MVP Expert

Re: ArubaOS-CX Tacacs authentication

Hi Rensk,

 

it work for me...

 

Your ArubaCX is L3 Router ? (with multiple interface ?)

Do you have configure the ip souce interface for TACACS ?



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Contributor I

Re: ArubaOS-CX Tacacs authentication

Hello alagoutte,

 

I'm currently testing with an empty switch. Only one L3 interface has been setup.

 

Anyhow I tested with setting up the source interface. No change in behaviour.

 

When I don't define the NAD in Clearpass or enter the wrong pre shared key I get a notification in the Event viewer every time I try to login. As soon as I define the correct NAD settings all notification dry up.

Nothing I the Event viewer; nothing in the access tracker.

 

Can you share your config? Wich ArubaOS-CX version are you using?

 

Regards,

 

Rens

MVP Expert

Re: ArubaOS-CX Tacacs authentication

it is the same configuration (i try with 10.1 but i can look for try with 10.2)

 

You don't have forget to add TACACS Service ?



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Contributor II

Re: ArubaOS-CX Tacacs authentication

Do you have a TACACS service configured in Clearpass? If you add the NAD, and it properly sends a request, you should see something in a access tracker

Can you run a show tacacs-server detail?
also run a show aaa authentication?

Also, why do you have failthrough enabled? You only have one server in the server group, so it shouldn't be neccessary (unless my understanding of failthrough is wrong, and different then the WLCs)

Chris Wickline | Network Engineer | York College of Pennsylvania
Contributor I

Re: ArubaOS-CX Tacacs authentication

Hello cwickline14,

 


@cwickline14 wrote:

Do you have a TACACS service configured in Clearpass? If you add the NAD, and it properly sends a request, you should see something in a access tracker


I've just tested but only when I use PAP in stead of CHAP you see someting in the access tracker. With CHAP I almost never get someting in the access tracker.

 

Can you run a show tacacs-server detail?
also run a show aaa authentication?

8320# show aaa authentication
AAA Authentication:
Fail-through : Enabled
Limit Login Attempts : Not set
Lockout Time : 300
Minimum Password Length : Not set

Default Authentication for All Channels:
----------------------------------------------------------------------------------------------------------------------------------
GROUP NAME | GROUP PRIORITY
----------------------------------------------------------------------------------------------------------------------------------
clearpass | 0
----------------------------------------------------------------------------------------------------------------------------------
8320# show tacacs-server detail
******* Global TACACS+ Configuration *******

Shared-Secret: AQBapeZNldLuxrMvpYdzUXZrR4sZ95R9PjZRHNpSp8QcCG/oDAAAAPdrx0iq4S50CpjxWw==
Timeout: 5
Auth-Type: chap
Number of Servers: 1

****** TACACS+ Server Information ******
Server-Name : 10.13.111.19
Auth-Port : 49
VRF : default
Shared-Secret (default) : AQBapeZNldLuxrMvpYdzUXZrR4sZ95R9PjZRHNpSp8QcCG/oDAAAAPdrx0iq4S50CpjxWw==
Timeout (default) : 5
Auth-Type : pap
Server-Group : clearpass
Group-Priority : 1

 

Also, why do you have failthrough enabled? You only have one server in the server group, so it shouldn't be neccessary (unless my understanding of failthrough is wrong, and different then the WLCs)


If the clearpass servers aren't reachable I would like to have the ability to login to the switch with the local admin account. That's why I enabled failthrough.

 

Now I've enabled PAP it's sort of working

Screenshot_1.png

But I get two access requests. The first one fails with 

Tacacs server	Invalid Sequence number

Second one works.

Contributor II

Re: ArubaOS-CX Tacacs authentication

I just deployed the 10.02 OVA, and having the same issue. If i do PAP, it sends two requests, but I can access the switch.

However, when I do CHAP, I do still see the request in Clearpass, it just can't catergorize it.(I'm looking into that) In Access tracker, do a filter for the NAD ip address, and see if it shows up.

Edit**

A quick google search and I came across this https://community.arubanetworks.com/t5/Security/Clearpass-and-Fortigate-TACACS-auth-fail/td-p/315220

It seems like CHAP might not be supported in Clearpass...


Chris Wickline | Network Engineer | York College of Pennsylvania
MVP Expert

Re: ArubaOS-CX Tacacs authentication


@cwickline14 wrote:

I just deployed the 10.02 OVA, and having the same issue. If i do PAP, it sends two requests, but I can access the switch.

However, when I do CHAP, I do still see the request in Clearpass, it just can't catergorize it.(I'm looking into that) In Access tracker, do a filter for the NAD ip address, and see if it shows up.



Missing CHAP on authentification method ? (you use TACACS ?)

 

I get same issue with RADIUS (about double request...) but coming from SSH Server of ArubaCX... (for discovery supported cipher...)



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Contributor II

Re: ArubaOS-CX Tacacs authentication

There isn't a option to choose authentication methods for TACACS services, unless i'm missing something

TACACS_Screen.PNG

Chris Wickline | Network Engineer | York College of Pennsylvania
Contributor I

Re: ArubaOS-CX Tacacs authentication

Found this post from one and a half year ago https://community.arubanetworks.com/t5/Security/Clearpass-and-Fortigate-TACACS-auth-fail/td-p/315220

According to this articile Tacacs+ with CHAP isn't supported on Clearpass

 

Can't confirm if it's true but this seems to match what we see

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: