Hi Christian,
Sorry i should have mentioned that this is a standalone Clearpass server that is only configured for TACACS Auth.
Its not being sent anywhere before hand, the server and Switch sit on either side of a checkpoint firewall and my first check was making sure i saw TCP49 destined only to the correct server IP and i see the response packets also using TCP Dump.
tcpdump -nni bond1.1023 port 49
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond1.1023, link-type EN10MB (Ethernet), capture size 262144 bytes
08:41:16.681980 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [S], seq 3047991437, win 16384, options [mss 1460], length 0
08:41:16.682655 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [S.], seq 906735252, ack 3047991438, win 29200, options [mss 1460], length 0
08:41:16.684004 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [.], ack 1, win 17520, length 0
08:41:16.689697 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [P.], seq 1:66, ack 1, win 17520, length 65
08:41:16.689853 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [.], ack 66, win 29200, length 0
08:41:16.690371 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [P.], seq 1:38, ack 66, win 29200, length 37
08:41:16.690376 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [F.], seq 38, ack 66, win 29200, length 0
08:41:16.691946 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [.], ack 39, win 17483, length 0
08:41:16.693085 IP 192.168.x.x.1068 > 192.168.y.y.49: Flags [F.], seq 66, ack 39, win 17483, length 0
08:41:16.693192 IP 192.168.y.y.49 > 192.168.x.x.1068: Flags [.], ack 67, win 29200, length 0
08:41:16.699349 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [S], seq 1679976846, win 16384, options [mss 1460], length 0
08:41:16.700101 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [S.], seq 3469137404, ack 1679976847, win 29200, options [mss 1460], length 0
08:41:16.701473 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [.], ack 1, win 17520, length 0
08:41:16.713638 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [P.], seq 1:64, ack 1, win 17520, length 63
08:41:16.713762 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [.], ack 64, win 29200, length 0
08:41:16.714296 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [P.], seq 1:75, ack 64, win 29200, length 74
08:41:16.714363 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [F.], seq 75, ack 64, win 29200, length 0
08:41:16.716359 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [.], ack 76, win 17446, length 0
08:41:16.722082 IP 192.168.x.x.1069 > 192.168.y.y.49: Flags [F.], seq 64, ack 76, win 17446, length 0
08:41:16.722212 IP 192.168.y.y.49 > 192.168.x.x.1069: Flags [.], ack 65, win 29200, length 0
Original Message:
Sent: Aug 12, 2022 01:59 AM
From: Christian Chautems
Subject: Clearpass Policy Manager 6.10 Custom TACACS Dictionaries file
Hello,
Normally you get this message when the Tacacs authorization message is received by another Clearpass server than the one that has proceeded the authentication.
This can also happens with long lasting SSH sessions after a reboot of the CPPM servers.
If the device is sending the Tacacs request to any of the server instead of using always the same use a VIP IP for Tacacs
Kind regards
Christian
Original Message:
Sent: Aug 11, 2022 07:19 AM
From: Luke Roberts
Subject: Clearpass Policy Manager 6.10 Custom TACACS Dictionaries file
Hi,
Appologies if this is a dumb question, clearpass is not my strongest of platforms I work on.
We use Clearpass as a TACACS server for all of our switches and Aruba controllers, we have profiles configured for Aruba MM and MD which works fine and profile for Extreme Networks Devices which also works fine.
I have a new Manufacturer of industriakl ethernet switches which can use TACACS and works fine using a free tacacs server (as a test) however I am unable to get the Clearpass server to authenticate the requests from these devices. Instead of a entry in the Access Tracker for eahc attempt i see an entry in the Event Viewer....
Source | TacacsServer |
Level | WARN |
Category | Request |
Action | Failed |
Timestamp | Aug 11, 2022 10:44:30 BST |
Description | Authorization request for unauthenticated user=****; NAD=192.168.***.*** |
Is this due to the lack of TACACS dictionary file for the vendor? if so is it possible to create a custom dictionary XML and deduce the value of the service attribute?
<ServiceAttribute dataType="String" dispName="*****" name="*****"/>
Sorry if this is a dumb question, just not having much luck with the resources ive tried so far.
Many Thanks