Wireless Access

Reply
New Contributor

Aruba wireless controller TACACS to Cisco ISE for admin authentication

Anyone have a how-to to configure an Aruba wireless controller admin authentication via TACACS to Cisco ISE?

MVP Guru

Re: Aruba wireless controller TACACS to Cisco ISE for admin authentication

 

I don't have access to ISE, but the workflow should be similar to what you should do with ClearPass to setup a TACACS+ service. That is described in the TechNote Configuring a TACACS+ Service which can be found on the support website under ClearPass Tech Notes.

 

Then, what isn't in the Tech Note, is that contents of the actual enforcement as that is preconfigured in ClearPass. 

 

To return the root role via TACACS+ you will need the following information:

[ArubaOS Wireless - TACACS Root Access] Services:
Privilege Level:
15
Selected Services:
1. Aruba:Common
Authorize Attribute Status:
ADD
Custom Services:
-
Service Attributes
 
  Type Name = Value
1. Aruba:Common Aruba-Admin-Role = root

 

 

For Read-only access: it is the same, but instead of root, return the value read-only:

 
  Type Name = Value
1. Aruba:Common Aruba-Admin-Role = read-only

Please share what you had to do if you are able to make this work.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
New Contributor

Re: Aruba wireless controller TACACS to Cisco ISE for admin authentication

I think the poster was looking more for CLI and/or webui sections for configuration.  I have done the Cisco side a few times and I was hoping to find similar documentation but AOS is slightly different thus the hard time translating Cisco IOS to AOS.  

******EDITED******

*****This is the correct model for Authentication using cisco ISE

******EDITED******

 

aaa new model

aaa group server tacacs+ ISE

server name ISE1

server name ISE2 

aaa authen login default group tacacs+ local

tacacs-server ISE1

address ipv4x.x.x.x

key aruba

 

Aruba config ?

aaa authen mgmt

enable

server-group ISE

 

aaa authentication-server tacacs ISE1

enable

host x.x.x.x

key aruba

session-authorization****** this is required for authorization

 

aaa authentication-server tacacs ISE2

enable

host x.x.x.x

key aruba

session-authorization****** this is required for authorization

 

aaa server-group ISE

allow-fail-through

auth-server ISE1  position 1

auth-server ISE2 position 2

auth-server internal position 3  

 

 

******EDITED******

*****The correct TACACS profile for Authorization on Cisco ISE is captured in the attachments.*****  

Default builtin Aruba roles:

root                Super user role
read-only           Read only commands
location-api-mgmt   location-api-mgmt
network-operations  network-operations
guest-provisioning  guest-provisioning
no-access           Default role, no commands are accessible for this role

 

NOTES: DO NOT ADD THE ROOT ROLE TO YOUR ROOT USER.  THIS WILL APSS AUTHENTICATION AND AUTHORIZATION BUT FAIL TO LOG YOU INTO THE DEVICE.  KEEP IT WITH THE DEFAILT SETTINGS.  USE THE "SHOW LOGINSESSIONS" COMMAND TO VERIFY YOU ARE ASSIGNED THE PROPER ROLE.

 

DONT FORGET TO ADD YOUR TEST USER INTO THE USER GROUP ASSOCIATED WITH THE AUTHORIZATION.

******EDITED******

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: