Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cisco DNA Center WebUI Login (TACACS)

This thread has been viewed 62 times

  • 1.  Cisco DNA Center WebUI Login (TACACS)

    MVP
    Posted Jan 26, 2021 10:04 AM

    Hello,

    I'm trying to configure TACACS login using AD credentials to Cisco DNA Center using ClearPass, but struggling to get the correct syntax. In DNA Center's config it states - 


    "The value of the AAA attribute to be configured for authorization on AAA server would be in the format of "Role=role1". On ISE server, choose the cisco-av-pair attribute from cisco specific AAA attributes list. A sample configuration inside Authorization profile would look like "cisco-av-pair= Role=SUPER-ADMIN-ROLE".

    An example configuration in the case of manually defining the AAA attribute would be "Cisco-AVPair=Role=SUPER-ADMIN-ROLE"."


    I've tried using the Shell service with cisco-av-pair attribute and various values including the role name of "SUPER-ADMIN-ROLE" and the role value of "Role=role2" and simply just "role2". None of these combinations seemed to work, so I created a new TACACS service called "Cisco-AVPair" to match the same from DNA Center with Role attribute and value of both role name and number, but neither of those appear to work either. 

    Wondering if anybody set this up successfully or any suggestions on what I may be missing?

    Thanks in advance! 



    ------------------------------
    Michael Haring
    ------------------------------


  • 2.  RE: Cisco DNA Center WebUI Login (TACACS)

    Posted Jul 26, 2021 11:10 AM
    Michael,

    Did you ever resolve this?  I am able to auth TACACS just fine on all Cisco devices, but having a hell of a time getting the actual DNA Center to auth to ClearPass.  I've tried what you have adding the Cisco-AVPair and confirming that "all shell commands not listed are permitted" is checked, however im still getting the following error message in ClearPass:

    --Authorization Requests Messages--
    *Command*--
    Error Message:  No enforcement profiles matched to perform command authorization
    Error Group:  Tacacs authorization
    *Alerts for this Request:*
    Tacacs server:  Tacacs service=cas-service not enabled


    I'm stumped but hopefully you figured out the proper settings and can save the day!  Thanks, and Happy Friday.

    -Chris

    ------------------------------
    Chris Chovanec
    ------------------------------

    Original Message


  • 3.  RE: Cisco DNA Center WebUI Login (TACACS)
    Best Answer

    MVP
    Posted Jul 26, 2021 03:48 PM
    Hi Chris,

    I was unable to get TACACS to work properly, so i transitioned the setup to use RADIUS instead. I was able to get this working with the following setup: Set "Radius:Cisco = Cisco-AVPair = Role=SUPER-ADMIN-ROLE".

    There are additional roles in DNA Center that can be setup, but we only leverage the one.

    I hope this helps!


    ------------------------------
    Michael Haring

    AirHeads MVP 2017, 2019-2021
    ------------------------------

    Original Message


  • 4.  RE: Cisco DNA Center WebUI Login (TACACS)

    Posted Sep 03, 2021 12:33 PM
    Was able to get TACACS working!

    Need to update the tacacs services dictionary with cas-service. 

    In the enforcement profile, services tab, I exported the current dictionary (link top right), added the following line into that xml, and then updated dictionary with the updated xml.
        <TacacsServiceDictionary dispName="cas-service" name="cas-service"/>

    After that, I backed out of the enforcement profile and opened it back up.  Now under the services tab, I could select cas-service.  Then under the services attributes, i added cas-service with name "Cisco-AVPair" and value "Role=SUPER-ADMIN-ROLE"



    Cheers

    ------------------------------
    Nick Bb
    ------------------------------

    Original Message


  • 5.  RE: Cisco DNA Center WebUI Login (TACACS)

    Posted Jun 16, 2022 10:58 AM
    Also, in the DNA Users External Authentication make sure that AAA attribute is set Cisco-AVPair
    Set the DNA correct Attribute in DNA

    Original Message