Security

I encountered this error while creating the services for AdminUI TACACS auth using ISE "RADIUS type Authentication Source is not supported" using RADIUS as my source. I'm creating this post to show how I managed to integrate CPPM AdminUI login using Cisco ISE.  

On ClearPass 6.8.x

  - I created a TokenServer Authentication Source and used RADIUS as my Protocol
 - Copied the [Policy Manager Admin Network Login Service] and renamed it, and move its order to the top
 - Modified the policy service to use my TokenServer as Authentication and Authorization Sources
 - Select the [Admin User Repository] as your additional authorization source
 - Created my Role Mapping Policies and Enforcement Policies e.g., "(Authorization:[Admin User Repository]:Role_Name  EQUALS  Super Administrator) [TACACS+ Super Admin])"
 - Saved

On Cisco ISE 3.1.x

 - Added CPPM IPs to the "Network Devices"
 - For "TACACS Authentication Settings" Selected "Enable Single Connect Mode" and "Legacy Cisco Device"
 - For the "Policy Elements" <TACACS Profiles> I used the following "Generic" attributes.
 - MANDATORY [Service] "cpass"
 - MANDATORY [Protocol] "http"
 - MANDATORY [AdminPrivilege] "Super Administrator"

Note: You must configure all other ISE "Device Admin Policy Sets" settings, and create separate policy for each role you are using in ClearPass.

Let me know if you have an alternate method for this..

Hope this helps guys.
  

Thanks for the write up.  I'm curious on the use-case though.  Why both ISE and ClearPass?  Why not just let ClearPass handle its own admin login?

I encountered this error while creating the services for AdminUI TACACS auth using ISE "RADIUS type Authentication Source is not supported" using RADIUS as my source. I'm creating this post to show how I managed to integrate CPPM AdminUI login using Cisco ISE.  

On ClearPass 6.8.x

  - I created a TokenServer Authentication Source and used RADIUS as my Protocol
 - Copied the [Policy Manager Admin Network Login Service] and renamed it, and move its order to the top
 - Modified the policy service to use my TokenServer as Authentication and Authorization Sources
 - Select the [Admin User Repository] as your additional authorization source
 - Created my Role Mapping Policies and Enforcement Policies e.g., "(Authorization:[Admin User Repository]:Role_Name  EQUALS  Super Administrator) [TACACS+ Super Admin])"
 - Saved

On Cisco ISE 3.1.x

 - Added CPPM IPs to the "Network Devices"
 - For "TACACS Authentication Settings" Selected "Enable Single Connect Mode" and "Legacy Cisco Device"
 - For the "Policy Elements" <TACACS Profiles> I used the following "Generic" attributes.
 - MANDATORY [Service] "cpass"
 - MANDATORY [Protocol] "http"
 - MANDATORY [AdminPrivilege] "Super Administrator"

Note: You must configure all other ISE "Device Admin Policy Sets" settings, and create separate policy for each role you are using in ClearPass.

Let me know if you have an alternate method for this..

Hope this helps guys.
  

Well, in our case we have use CPPM for the wireless enclave and ISE for wired and that choice was due to DNA, SDA and other requirements. We also needed to have MFA and our CPPM could not get direct access to MFA provider. 

Thanks for the write up.  I'm curious on the use-case though.  Why both ISE and ClearPass?  Why not just let ClearPass handle its own admin login?

I encountered this error while creating the services for AdminUI TACACS auth using ISE "RADIUS type Authentication Source is not supported" using RADIUS as my source. I'm creating this post to show how I managed to integrate CPPM AdminUI login using Cisco ISE.  

On ClearPass 6.8.x

  - I created a TokenServer Authentication Source and used RADIUS as my Protocol
 - Copied the [Policy Manager Admin Network Login Service] and renamed it, and move its order to the top
 - Modified the policy service to use my TokenServer as Authentication and Authorization Sources
 - Select the [Admin User Repository] as your additional authorization source
 - Created my Role Mapping Policies and Enforcement Policies e.g., "(Authorization:[Admin User Repository]:Role_Name  EQUALS  Super Administrator) [TACACS+ Super Admin])"
 - Saved

On Cisco ISE 3.1.x

 - Added CPPM IPs to the "Network Devices"
 - For "TACACS Authentication Settings" Selected "Enable Single Connect Mode" and "Legacy Cisco Device"
 - For the "Policy Elements" <TACACS Profiles> I used the following "Generic" attributes.
 - MANDATORY [Service] "cpass"
 - MANDATORY [Protocol] "http"
 - MANDATORY [AdminPrivilege] "Super Administrator"

Note: You must configure all other ISE "Device Admin Policy Sets" settings, and create separate policy for each role you are using in ClearPass.

Let me know if you have an alternate method for this..

Hope this helps guys.
  

Well, in our case we have use CPPM for the wireless enclave and ISE for wired and that choice was due to DNA, SDA and other requirements. We also needed to have MFA and our CPPM could not get direct access to MFA provider. 

Original Message:
Sent: Apr 16, 2024 07:25 AM
From: ahollifield
Subject: CPPM AdminUI via Cisco ISE TACACS+

Thanks for the write up.  I'm curious on the use-case though.  Why both ISE and ClearPass?  Why not just let ClearPass handle its own admin login?

Original Message:
Sent: Apr 15, 2024 11:28 AM
From: stealthby
Subject: CPPM AdminUI via Cisco ISE TACACS+

I encountered this error while creating the services for AdminUI TACACS auth using ISE "RADIUS type Authentication Source is not supported" using RADIUS as my source. I'm creating this post to show how I managed to integrate CPPM AdminUI login using Cisco ISE.  

On ClearPass 6.8.x

  - I created a TokenServer Authentication Source and used RADIUS as my Protocol
 - Copied the [Policy Manager Admin Network Login Service] and renamed it, and move its order to the top
 - Modified the policy service to use my TokenServer as Authentication and Authorization Sources
 - Select the [Admin User Repository] as your additional authorization source
 - Created my Role Mapping Policies and Enforcement Policies e.g., "(Authorization:[Admin User Repository]:Role_Name  EQUALS  Super Administrator) [TACACS+ Super Admin])"
 - Saved

On Cisco ISE 3.1.x

 - Added CPPM IPs to the "Network Devices"
 - For "TACACS Authentication Settings" Selected "Enable Single Connect Mode" and "Legacy Cisco Device"
 - For the "Policy Elements" <TACACS Profiles> I used the following "Generic" attributes.
 - MANDATORY [Service] "cpass"
 - MANDATORY [Protocol] "http"
 - MANDATORY [AdminPrivilege] "Super Administrator"

Note: You must configure all other ISE "Device Admin Policy Sets" settings, and create separate policy for each role you are using in ClearPass.

Let me know if you have an alternate method for this..

Hope this helps guys.
  

In our Lab, we are have a deployment of DNA using CPPM. We have ISE just as, basically, a RADIUS Proxy to DNA, I think.

We are currently preparing to roll this out to production. 

We have used CPPM as our main authentication server since Aruba bought Avenda eTIIPs.

BTW, the Aruba admin login uses TACACS+, not RADIUS.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 16, 2024 07:59 AM
From: stealthby
Subject: CPPM AdminUI via Cisco ISE TACACS+

Well, in our case we have use CPPM for the wireless enclave and ISE for wired and that choice was due to DNA, SDA and other requirements. We also needed to have MFA and our CPPM could not get direct access to MFA provider. 

Original Message:
Sent: Apr 16, 2024 07:25 AM
From: ahollifield
Subject: CPPM AdminUI via Cisco ISE TACACS+

Thanks for the write up.  I'm curious on the use-case though.  Why both ISE and ClearPass?  Why not just let ClearPass handle its own admin login?

Original Message:
Sent: Apr 15, 2024 11:28 AM
From: stealthby
Subject: CPPM AdminUI via Cisco ISE TACACS+

I encountered this error while creating the services for AdminUI TACACS auth using ISE "RADIUS type Authentication Source is not supported" using RADIUS as my source. I'm creating this post to show how I managed to integrate CPPM AdminUI login using Cisco ISE.  

On ClearPass 6.8.x

  - I created a TokenServer Authentication Source and used RADIUS as my Protocol
 - Copied the [Policy Manager Admin Network Login Service] and renamed it, and move its order to the top
 - Modified the policy service to use my TokenServer as Authentication and Authorization Sources
 - Select the [Admin User Repository] as your additional authorization source
 - Created my Role Mapping Policies and Enforcement Policies e.g., "(Authorization:[Admin User Repository]:Role_Name  EQUALS  Super Administrator) [TACACS+ Super Admin])"
 - Saved

On Cisco ISE 3.1.x

 - Added CPPM IPs to the "Network Devices"
 - For "TACACS Authentication Settings" Selected "Enable Single Connect Mode" and "Legacy Cisco Device"
 - For the "Policy Elements" <TACACS Profiles> I used the following "Generic" attributes.
 - MANDATORY [Service] "cpass"
 - MANDATORY [Protocol] "http"
 - MANDATORY [AdminPrivilege] "Super Administrator"

Note: You must configure all other ISE "Device Admin Policy Sets" settings, and create separate policy for each role you are using in ClearPass.

Let me know if you have an alternate method for this..

Hope this helps guys.
  

Hi Bos,

 Yeah.. that is correct the ISE policy protocol is TACACS+, but for my workaround I'm using RADIUS Tokenserver as my source.

In our Lab, we are have a deployment of DNA using CPPM. We have ISE just as, basically, a RADIUS Proxy to DNA, I think.

We are currently preparing to roll this out to production. 

We have used CPPM as our main authentication server since Aruba bought Avenda eTIIPs.

BTW, the Aruba admin login uses TACACS+, not RADIUS.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 16, 2024 07:59 AM
From: stealthby
Subject: CPPM AdminUI via Cisco ISE TACACS+

Well, in our case we have use CPPM for the wireless enclave and ISE for wired and that choice was due to DNA, SDA and other requirements. We also needed to have MFA and our CPPM could not get direct access to MFA provider. 

Original Message:
Sent: Apr 16, 2024 07:25 AM
From: ahollifield
Subject: CPPM AdminUI via Cisco ISE TACACS+

Thanks for the write up.  I'm curious on the use-case though.  Why both ISE and ClearPass?  Why not just let ClearPass handle its own admin login?

Original Message:
Sent: Apr 15, 2024 11:28 AM
From: stealthby
Subject: CPPM AdminUI via Cisco ISE TACACS+

I encountered this error while creating the services for AdminUI TACACS auth using ISE "RADIUS type Authentication Source is not supported" using RADIUS as my source. I'm creating this post to show how I managed to integrate CPPM AdminUI login using Cisco ISE.  

On ClearPass 6.8.x

  - I created a TokenServer Authentication Source and used RADIUS as my Protocol
 - Copied the [Policy Manager Admin Network Login Service] and renamed it, and move its order to the top
 - Modified the policy service to use my TokenServer as Authentication and Authorization Sources
 - Select the [Admin User Repository] as your additional authorization source
 - Created my Role Mapping Policies and Enforcement Policies e.g., "(Authorization:[Admin User Repository]:Role_Name  EQUALS  Super Administrator) [TACACS+ Super Admin])"
 - Saved

On Cisco ISE 3.1.x

 - Added CPPM IPs to the "Network Devices"
 - For "TACACS Authentication Settings" Selected "Enable Single Connect Mode" and "Legacy Cisco Device"
 - For the "Policy Elements" <TACACS Profiles> I used the following "Generic" attributes.
 - MANDATORY [Service] "cpass"
 - MANDATORY [Protocol] "http"
 - MANDATORY [AdminPrivilege] "Super Administrator"

Note: You must configure all other ISE "Device Admin Policy Sets" settings, and create separate policy for each role you are using in ClearPass.

Let me know if you have an alternate method for this..

Hope this helps guys.