cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1214
Views
3
Helpful
12
Replies

Aruba Clearpass TACACS AAA with AD Auth to login to Cisco devices

Hi,

Im trying to create an AAA deployment for Cisco Switch/router access for users and a service account for DNA center and not sure where to start. Basically,  I want users to be able to login to cisco devices using TACACs auth (via clearpass querying AD),  users can then "enable" using our enable password (currently hardcoded in the cisco devices using enable secret, not sure if there is a better way for this)

if TACACs server is unreachable, access should default to local as we have an admin account hardcoded locally in the devices,

However, our DNA service account should login to Cisco devices in enabled mode already.

Currently this is what is in the config

aaa new-model
!
!
aaa authentication login default group tacacs+ local enable
!
!

line vty 0 15
session-timeout 15
exec-timeout 15 0
logging synchronous
transport input telnet ssh

Aruba tacacs is passing privilege level 15 in the service profile and I am not sure if I should create a separate service profile for users with non priv level 15 and a service profile for service accounts with priv level 15..

Any help is appreciated

 

12 Replies 12

Arne Bier
VIP
VIP

When onboarding Network Devices into the DNAC Inventory, I find it's best to create an Authentication credential in DNAC (Design / Network Settings / Device Credentials / CLI) - I call it a DNAC Service Account - and then create that account on all network devices as a local account, with priv 15.  That is what I do to onboard a device into DNAC (before the switch even has TACACS+ configured). In addition, your TACACS+ server should be able to authenticate Network Devices with this same username/password (either via local server account, or AD etc.) - once the Network Device is onboarded, DNAC will log into these devices with the same username/password, and then your TACACS+ server will handle that Auth.  Also, if you nuke the aaa config on your Network Devices, you can still log into them using the DNAC service account.  

 

On a fresh IOS-XE device, I always add the username, and get the SSH setup - routers/switches can vary in how this is done, but some of the common steps are

conf t
ip domain name my.domain.local
! create a SSH key pair
crypto key generate rsa modulus 2048
! create local account
username SVC_DNAC privilege 15 password MySecret123
!
ip ssh version 2
! Sometimes this is needed too
line vty 0 15
  login local

 

Here is what DNAC would provision (plus my own additions, which is the per-command accounting, and command authorization)

aaa group server tacacs+ dnac-network-tacacs-group
 server name dnac-tacacs_172.22.131.174
 server name dnac-tacacs_172.22.131.175
 timeout 1
aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated
aaa authorization commands 0 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization configuration VTY_author group dnac-network-tacacs-group
aaa accounting exec default start-stop group dnac-network-tacacs-group
aaa accounting commands 0 default start-stop group dnac-network-tacacs-group
aaa accounting commands 1 default start-stop group dnac-network-tacacs-group
aaa accounting commands 15 default start-stop group dnac-network-tacacs-group
ip tacacs source-interface GigabitEthernet1
!
tacacs server dnac-tacacs_172.22.131.174
 address ipv4 172.22.131.174
 key 0 <TACACS_shared_Secret>
 timeout 1
 single-connection
!
tacacs server dnac-tacacs_172.22.131.175
 address ipv4 172.22.131.175
 key 0 <TACACS_shared_Secret>
 timeout 1
 single-connection

DNAC will also modify the line vty

line vty 0 4
 authorization commands 0 VTY_author
 authorization commands 1 VTY_author
 authorization commands 15 VTY_author
 authorization exec VTY_author
 login authentication VTY_authen
 transport input ssh

 

 

You mean onboard via day 0 template? The network devices are already in network heirarchy so I am not onboarding new devices to dnac..

Oh right. Your initial config snippet looks nothing like what a DNAC provisioned device would get. You might have added those devices to DNAC but it doesn’t look like you have provisioned those devices. Otherwise your configs would look more like mine.

I always return priv15 for all users. Even read only users. Why? Because commands like “show run” need priv 15 and if you want a read only user to see the config then you must return priv 15. I lock down access with command authorization. You can be very fine grained with per command authorisation in TACACS.

devices were added via discovery without device controllability or telemetry turned on. I can provision commands using template hubs so there is no problem there.  

I noticed you use aaa authentication login VTY_authen group dnac-network-tacacs-group local vs aaa authentication login default group tacacs+ local enable.. looks like they do the same thing? Authorizes EXEC sessions on VTY lines using the TACACS+ server group, with local fallback if authenticated. -> does this directly put the user to priv 15 or just allows user to issue enable command? same with this aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated and aaa authorization exec default local commands..

What are you trying to do with these commands below?

aaa authorization commands 0 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated

aaa authorization configuration VTY_author group dnac-network-tacacs-group

Maybe for now I'll just focus on setting up tacacs for our network engineers to login to vty lines using tacacs, can issue enable command and falling back to local auth if tacacs server is unvailable... would I be able to accomplish that if I took snippets from your config? Thanks so much

I'll tackle each question below:

"I noticed you use aaa authentication login VTY_authen group dnac-network-tacacs-group local vs aaa authentication login default group tacacs+ local enable.. looks like they do the same thing"

DNAC makes use of 'method lists' (the VTY_authen  is a method list) - it's like a tag that links the "line vty/con/aux" configs to individual aaa statements. It can be hard to read, and by default, IOS doesn't use them - the "line vty/con/aux" implicitly use no method lists - hence, in the aaa statements, you refer to that as 'default'.  DNAC doesn't give you a choice when you provision devices, and if those devices are in the Network Hierarchy that contains RADIUS/TACACS+ settings - those are pushed to the device being provisioned - along with anything else that applies at that Hierarchy (such as DNS, NTP, Timezone, MOTD, etc.)

The very last argument in the aaa command (either 'local' or 'enable') tells the IOS what happens when the aaa servers are not responding:

  • local - authenticate using a local account (username/password) that exists on the device
  • enable - authenticate using the enable password on that device

The aaa authorization exec tells you what happens AFTER authentication step, and takes the PrivLvl from the AAA server response. If ISE returns '1' then you end up on the '>' prompt and need to elevate using the enable X command.  I don't recall what happens next, because I don't use the enable mode of working - but I think the IOS will request aaa authentication to the server to request the elevation.  Like I said, I issue Priv15 to everyone, and then just lock down the commands that each role (SuperAdmin, JuniorAdmin, ReadOnly) can perform.

aaa authorization commands X tells IOS that while you are in the exec shell, EVERY command you issue (that is associated with a priv level ... 0,1,15 etc) will cause an aaa request to the server - that is how ISE can control what command each user can, and cannot issue.  But some commands don't relate to a priv level - I have never seen this list, but I think commands like "who" don't cause a aaa event.  

My recommendation is to do some testing in a lab. If you have a lab ... Cisco CML or GNS3/Eve-NG and an ISE node then you can test all these scenarios. If not, then take one IOS device that you can always reach physically (console cable) and have a play with all of these options.

 

 

 

Hi Arne

Makes perfect sense, I dont have ISE, I have aruba clearpass tacacs+ it can pass any privilege level but I’m not sure how I can replicate locking down commands on a per role basis and if copying your command auth statements will work..

line vty 0 15

privilege 15 <<- this make use only Authc by ClearPass and if it success authc it will get level15 
session-timeout 15
exec-timeout 15 0
logging synchronous
transport input telnet ssh

that doesnt matter I think as aruba clearpass can pass priv 15 under enforcement profiles->priv level->selected services=shell

But you dont config 

Authz exec under vty so vty not use priv send by tacacs

MHM

AAA is a client server protocol. That means, the server (ISE/Clearpass) does nothing, until a client (e.g. IOS) sends a request to it. Therefore, the client needs certain config (I have provided you what DNAC pushes to Catalysts, plus some additional commands), and the Server needs config. But we have not discussed the Server config. Since this is a Cisco forum, I won't go into how Clearpass is configured - you can research that on Airheads.  I have configured both and I find the Aruba more complex to configure than ISE. But they do the same thing.

TACACS+ happens in three distinct AAA stages - Authentication, Authorization, Accounting.

When user logs into IOS and presses enter on the username+password, the IOS sends Authentication request to the server. Server checks only the Username and Password - it sends back a simple 'Yes'. / 'No'

Once that is done, if it was a 'Yes', the IOS will have authenticated the user. But the user is not on the CLI yet - IOS performs authorization for the exec (CLI shell). IOS will ask the server to authorize that user - because I have an ISE Authorization Rule that says what a SuperAdmin priv level is, when I login, ISE returns this: (there are many different attributes, but these are the basic ones I return:) -and by the way, I return this for other users too, like Read-Only users. More on that later ...

ArneBier_0-1733426230436.png

Now the user is on the '#' prompt.

What happens next, depends on how you have configured your IOS. Do you want EVERY command to be authorized as well?  If yes (e.g. for RBAC reasons), the IOS "aaa authorization commands" do just that - but - it must be done for every priv level possible. In my experience, even though you are authorized to priv15, some commands you enter, are lower priv - therefore, to catch those, cater for priv0,1,15 commands.

Going back to ISE config, in the TACACS+ Policy Set I made two Authorization scenarios - super admins, and readonly admin - here is what it looks like in ISE (Clearpass does the same thing, but looks different)

ArneBier_2-1733427966052.png

 

 

The Command Set configs in ISE show what my Read-Only user gets

ArneBier_1-1733427877054.png

When I login as the user 'arne', my experience is as follows

ArneBier_3-1733428090917.png

And you can see ISE is authorizing every command I type

ArneBier_4-1733428232657.png

 

To prove my point about Priv0 and Priv1 being required to make this work, I removed the following commands from the IOS

ArneBier_5-1733428515930.png

Remember that I am still in Priv 15

ArneBier_6-1733428553731.png

But since I am no longer authorizing the priv0/1 commands, I can suddenly issue them as user 'arne', even though my TACACS+ server has rules to not allow this - the reason is simple - IOS no longer makes those requests to the server. The command 'who' is not allowed in my TACACS+ server, but the user can now execute it:

ArneBier_7-1733428673894.png

Command authorization has less to do with what Priv Level I gave the user, but it's more concerned with what Priv Level the command is, that I have just entered into the shell.  I have yet to see a complete listing (or a command in IOS) that shows what priv level is needed for which command.

test, test, and then test again!

 

 

 

 

Hi Arne,

Thank you for the detailed explanation. You mentioned you did something similar with clearpass? We don't have a test lab to do these tests , we only have prod. Anyway, do you have a template or probably a guide/documentation that you can share that I could probably start with to integrate this with clearpass with copying the behaviour you have implemented in ISE? thanks

Arne Bier
VIP
VIP

I don't have a Clearpass system. You can build all this in a lab environment - Clearpass doesn't need much  in terms of RAM and CPU, and the IOS stuff can be emulated in Cisco CML (highly recommend that!) or GNS3/Eve-NG.  In fact, if you can download CSR1000v or 8000v from software.cisco.com, then you can load that into your Hypervisor (e.g. ESXi) and have that talk to your Clearpass Lab VM.

Failing that ... the first google search for "cleaprass tacacs" hit that came up with this.