Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3220
Views
15
Helpful
9
Replies

HPE Aruba CPPM user authentication from Cisco ISE using TACACS

CSCO12938204
Level 1
Level 1

‎08-23-2021 07:05 AM - edited ‎08-23-2021 07:13 AM

Hi Experts - We are using ISE as TACACS server to authenticate different vendor devices and I am looking forward for expert assistance to configure ISE for authentication of Aruba CPPM server using TACACS protocol. 

 

Requirement is : 

 

User A - should have Read-Write access to CPPM Server.

User B - Should have Read only access to CPPM Server

User C - Should have Read-Write access to specific TAB/Part of the server and Read only access to rest of the things

 

I am not sure what shell profile and Command set should be on ISE and what attributes needs to match against the request. Any document reference or suggestion will be great help.

 

Please help ASAP. Thanks in advance. 

 

 

0 Helpful
9 Replies 9

CSCO12938204
Level 1
Level 1

‎08-24-2021 11:10 AM

How can i configure Cisco ISE to match this attribute "cpass:HTTP > AdminPrivilege = Super Administrator"

I am configuring it but it seems it is not talking. probably i am doing something wrong. Can someone please confirm the way of doing it. 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎08-24-2021 05:30 PM

From https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=19839, my guess is like this:

Screen Shot 2021-08-24 at 5.28.18 PM.png

 

0 Helpful

CSCO12938204
Level 1
Level 1
In response to hslai

‎08-25-2021 07:04 AM

@hslai I tried same but still same issue. I am getting Invalid username and Password specified error. However i am seeing successful authentication logs on ISE but not able to login CPPM GUI. I believe this is a issue with Authorization policy.

 

 

0 Helpful

CSCO12938204
Level 1
Level 1

‎08-25-2021 08:33 AM - edited ‎08-25-2021 09:34 AM

Below is the link given...This is exactly the same issue i am facing. Much appreciated If someone can help to fix this

CPPM AdminUI via Cisco ISE TACACS+ | Security (arubanetworks.com)

hslai
Cisco Employee
Cisco Employee

‎08-25-2021 10:03 PM

Try like this, perhaps.

Screen Shot 2021-08-25 at 10.02.01 PM.png

0 Helpful

CSCO12938204
Level 1
Level 1
In response to hslai

‎08-25-2021 11:59 PM

@hslai Still not working. Tried with all permutation and combination. 

Greg Gibbs
Cisco Employee
Cisco Employee
In response to CSCO12938204

‎08-26-2021 03:22 PM

Just to close the loop on this, it looks like someone found a solution here:

ISE with Aruba Clearpass TACACS 

0 Helpful

CSCO12938204
Level 1
Level 1
In response to Greg Gibbs

‎08-27-2021 09:43 AM

@Greg Gibbs I tried with same parameters but it is not working for me. If i am looking into packet capture, i can see Authorization query is being sent by CPPM server but ISE is not sending Authorization response. Instead it is sending RST packet back to CPPM server. 

0 Helpful

CSCO12938204
Level 1
Level 1
In response to CSCO12938204

‎08-27-2021 11:11 AM

I think i know the reason but i don't know the solution. Below are my findings from packet capture :

 

-> Once Authentication part is completed. ISE has sent the FIN + ACK packet to CPPM server

-> 8th Packet is from CPPM server as a Acknowledgement.

-> But in 9th packet CPPM is sending Authorization query on same port channel which is already closed by ISE. That is the reason in 10th packet ISE is doing RST. Ideally 9th should be as FIN + ACK from CPPM server and then 10th packet will become ACK from ISE.

 

As per my understanding, for authorization, communication will happen on different port channel. Please correct me if I am wrong. 

Can someone put some insight on this. Thanks. 

Customers Also Viewed These Support Documents