Community Home > Discuss > Technology > Wired Intelligent Edge (Campus Switching and Routi... > Re: ArubaOS-CX Tacacs authentication

Wired Intelligent Edge (Campus Switching and Routing)

Reply
Rensk
Contributor I
Rensk

ArubaOS-CX Tacacs authentication

‎02-22-2019 03:09 AM

Hello,

 

Did anyone get tacacs authentication and authorization working in Clearpass for the ArubaOS-CX switches?

 

I setup clearpass and configured the switch as follows:

tacacs-server host 10.13.111.19 vrf default
aaa group server tacacs clearpass
server 10.13.111.19 vrf default

tacacs-server key plaintext mypasskey123
tacacs-server auth-type chap

aaa authentication login default group clearpass local

aaa authentication allow-fail-through

When I don't add the switch ip to the devices I get a message in the event viewer about a unknown NAD. Which is to be expected.

 

But when I do add the switch ip to the devices list with the key as defined in the switch I sometimes (almost never) see any messages anymore in the event viewer as well as the Access tracker.

 

I'm currently testing with ArubaOS-CX Version : TL.10.02.0001 and Clearpass 6.7.2

 

With kind regards,

 

Rens

 

1 person had this problem.
Alert a Moderator
Message 1 of 14
1,527 Views
Reply
0 Kudos
MVP Expert
MVP Expert
alagoutte

Re: ArubaOS-CX Tacacs authentication

‎02-23-2019 09:57 AM

Hi Rensk,

 

it work for me...

 

Your ArubaCX is L3 Router ? (with multiple interface ?)

Do you have configure the ip souce interface for TACACS ?



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Alert a Moderator
Message 2 of 14
1,462 Views
Reply
0 Kudos
Rensk
Contributor I
Rensk

Re: ArubaOS-CX Tacacs authentication

‎02-24-2019 05:08 AM

Hello alagoutte,

 

I'm currently testing with an empty switch. Only one L3 interface has been setup.

 

Anyhow I tested with setting up the source interface. No change in behaviour.

 

When I don't define the NAD in Clearpass or enter the wrong pre shared key I get a notification in the Event viewer every time I try to login. As soon as I define the correct NAD settings all notification dry up.

Nothing I the Event viewer; nothing in the access tracker.

 

Can you share your config? Wich ArubaOS-CX version are you using?

 

Regards,

 

Rens

Alert a Moderator
Message 3 of 14
1,441 Views
Reply
0 Kudos
MVP Expert
MVP Expert
alagoutte

Re: ArubaOS-CX Tacacs authentication

‎02-24-2019 11:20 AM

it is the same configuration (i try with 10.1 but i can look for try with 10.2)

 

You don't have forget to add TACACS Service ?



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Alert a Moderator
Message 4 of 14
1,424 Views
Reply
0 Kudos
cwickline14
Contributor II
cwickline14

Re: ArubaOS-CX Tacacs authentication

‎02-25-2019 04:29 PM

Do you have a TACACS service configured in Clearpass? If you add the NAD, and it properly sends a request, you should see something in a access tracker

Can you run a show tacacs-server detail?
also run a show aaa authentication?

Also, why do you have failthrough enabled? You only have one server in the server group, so it shouldn't be neccessary (unless my understanding of failthrough is wrong, and different then the WLCs)

Chris Wickline | Network Engineer | York College of Pennsylvania
Alert a Moderator
Message 5 of 14
1,386 Views
Reply
0 Kudos
Rensk
Contributor I
Rensk

Re: ArubaOS-CX Tacacs authentication

‎02-26-2019 12:32 AM

Hello cwickline14,

 

@cwickline14 wrote:

Do you have a TACACS service configured in Clearpass? If you add the NAD, and it properly sends a request, you should see something in a access tracker

I've just tested but only when I use PAP in stead of CHAP you see someting in the access tracker. With CHAP I almost never get someting in the access tracker.

 

Can you run a show tacacs-server detail?
also run a show aaa authentication?

8320# show aaa authentication
AAA Authentication:
Fail-through : Enabled
Limit Login Attempts : Not set
Lockout Time : 300
Minimum Password Length : Not set

Default Authentication for All Channels:
----------------------------------------------------------------------------------------------------------------------------------
GROUP NAME | GROUP PRIORITY
----------------------------------------------------------------------------------------------------------------------------------
clearpass | 0
----------------------------------------------------------------------------------------------------------------------------------
8320# show tacacs-server detail
******* Global TACACS+ Configuration *******

Shared-Secret: AQBapeZNldLuxrMvpYdzUXZrR4sZ95R9PjZRHNpSp8QcCG/oDAAAAPdrx0iq4S50CpjxWw==
Timeout: 5
Auth-Type: chap
Number of Servers: 1

****** TACACS+ Server Information ******
Server-Name : 10.13.111.19
Auth-Port : 49
VRF : default
Shared-Secret (default) : AQBapeZNldLuxrMvpYdzUXZrR4sZ95R9PjZRHNpSp8QcCG/oDAAAAPdrx0iq4S50CpjxWw==
Timeout (default) : 5
Auth-Type : pap
Server-Group : clearpass
Group-Priority : 1

 

Also, why do you have failthrough enabled? You only have one server in the server group, so it shouldn't be neccessary (unless my understanding of failthrough is wrong, and different then the WLCs)

If the clearpass servers aren't reachable I would like to have the ability to login to the switch with the local admin account. That's why I enabled failthrough.

 

Now I've enabled PAP it's sort of working

Screenshot_1.png

But I get two access requests. The first one fails with 

Tacacs server	Invalid Sequence number

Second one works.

Alert a Moderator
Message 6 of 14
1,365 Views
Reply
0 Kudos
Highlighted
cwickline14
Contributor II
cwickline14

Re: ArubaOS-CX Tacacs authentication

‎02-26-2019 07:38 AM - edited ‎02-26-2019 07:42 AM

I just deployed the 10.02 OVA, and having the same issue. If i do PAP, it sends two requests, but I can access the switch.

However, when I do CHAP, I do still see the request in Clearpass, it just can't catergorize it.(I'm looking into that) In Access tracker, do a filter for the NAD ip address, and see if it shows up.

Edit**

A quick google search and I came across this https://community.arubanetworks.com/t5/Security/Clearpass-and-Fortigate-TACACS-auth-fail/td-p/315220

It seems like CHAP might not be supported in Clearpass...


Chris Wickline | Network Engineer | York College of Pennsylvania
Alert a Moderator
Message 7 of 14
1,349 Views
Reply
MVP Expert
MVP Expert
alagoutte

Re: ArubaOS-CX Tacacs authentication

‎02-26-2019 07:42 AM

@cwickline14 wrote:

I just deployed the 10.02 OVA, and having the same issue. If i do PAP, it sends two requests, but I can access the switch.

However, when I do CHAP, I do still see the request in Clearpass, it just can't catergorize it.(I'm looking into that) In Access tracker, do a filter for the NAD ip address, and see if it shows up.


Missing CHAP on authentification method ? (you use TACACS ?)

 

I get same issue with RADIUS (about double request...) but coming from SSH Server of ArubaCX... (for discovery supported cipher...)



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Alert a Moderator
Message 8 of 14
1,344 Views
Reply
0 Kudos
cwickline14
Contributor II
cwickline14

Re: ArubaOS-CX Tacacs authentication

‎02-26-2019 07:44 AM

There isn't a option to choose authentication methods for TACACS services, unless i'm missing something

TACACS_Screen.PNG

Chris Wickline | Network Engineer | York College of Pennsylvania
Alert a Moderator
Message 9 of 14
1,342 Views
Reply
0 Kudos
Rensk
Contributor I
Rensk

Re: ArubaOS-CX Tacacs authentication

‎02-27-2019 03:14 AM

Found this post from one and a half year ago https://community.arubanetworks.com/t5/Security/Clearpass-and-Fortigate-TACACS-auth-fail/td-p/315220

According to this articile Tacacs+ with CHAP isn't supported on Clearpass

 

Can't confirm if it's true but this seems to match what we see

Alert a Moderator
Message 10 of 14
1,310 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium