cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3514
Views
15
Helpful
9
Replies

HPE Aruba CPPM user authentication from Cisco ISE using TACACS

CSCO12938204
Level 1
Level 1

Hi Experts - We are using ISE as TACACS server to authenticate different vendor devices and I am looking forward for expert assistance to configure ISE for authentication of Aruba CPPM server using TACACS protocol. 

 

Requirement is : 

 

User A - should have Read-Write access to CPPM Server.

User B - Should have Read only access to CPPM Server

User C - Should have Read-Write access to specific TAB/Part of the server and Read only access to rest of the things

 

I am not sure what shell profile and Command set should be on ISE and what attributes needs to match against the request. Any document reference or suggestion will be great help.

 

Please help ASAP. Thanks in advance. 

 

 

9 Replies 9

CSCO12938204
Level 1
Level 1

How can i configure Cisco ISE to match this attribute "cpass:HTTP > AdminPrivilege = Super Administrator"

I am configuring it but it seems it is not talking. probably i am doing something wrong. Can someone please confirm the way of doing it. 

hslai
Cisco Employee
Cisco Employee

@hslai I tried same but still same issue. I am getting Invalid username and Password specified error. However i am seeing successful authentication logs on ISE but not able to login CPPM GUI. I believe this is a issue with Authorization policy.

 

 

CSCO12938204
Level 1
Level 1

Below is the link given...This is exactly the same issue i am facing. Much appreciated If someone can help to fix this

CPPM AdminUI via Cisco ISE TACACS+ | Security (arubanetworks.com)

hslai
Cisco Employee
Cisco Employee

Try like this, perhaps.

Screen Shot 2021-08-25 at 10.02.01 PM.png

@hslai Still not working. Tried with all permutation and combination. 

Just to close the loop on this, it looks like someone found a solution here:

ISE with Aruba Clearpass TACACS 

@Greg Gibbs I tried with same parameters but it is not working for me. If i am looking into packet capture, i can see Authorization query is being sent by CPPM server but ISE is not sending Authorization response. Instead it is sending RST packet back to CPPM server. 

I think i know the reason but i don't know the solution. Below are my findings from packet capture :

 

-> Once Authentication part is completed. ISE has sent the FIN + ACK packet to CPPM server

-> 8th Packet is from CPPM server as a Acknowledgement.

-> But in 9th packet CPPM is sending Authorization query on same port channel which is already closed by ISE. That is the reason in 10th packet ISE is doing RST. Ideally 9th should be as FIN + ACK from CPPM server and then 10th packet will become ACK from ISE.

 

As per my understanding, for authorization, communication will happen on different port channel. Please correct me if I am wrong. 

Can someone put some insight on this. Thanks.