ClearPass TACACS+ Cisco switch AAA Active directory

-

ClearPass version: 6.6.0.81015

ClearPass IP: 192.168.32.18
Cisco Switch IP : 192.168.32.13

Setup:

Group Name : VDI-Group1
Group Name : VDI_Group2

when a user member of group “VDI-Group1” log in to the switch, he/she will get privileges 15 , When an user member of group “VDI_Group2” log in will get privileges 3 . Also we will do some command restriction using ClearPass command authorization.




ClearPass:


Add the NAD to ClearPass:

Configuration >> Network >> Devices






Configuration » Enforcement » Profiles »


Add new enforcement profile: I named it “3850 Pri 3”












Create another Profile

Configuration » Enforcement » Profiles » Edit Enforcement Profile [ I named it “3850 Cisco Pri 15’]



















Create Two Roles:

Configuration » Identity » Roles

ClearPass Role is nothing but a TAG. You could name it whatever you like. But it is better to name it as you could understand.






Create Role Mapping:

Configuration » Identity » Role Mappings I named it “TAC_role“

Role Mapping TAG the user so that we could use them later with Policies. For example








If the user is the member of VDI-Group1, Role Mapping TAG them to cpass_admin. We will use this TAG later in policies to enforce rule.



Configuration » Enforcement » Policies »

Create an Enforcement Policies. I named it “3850 Policy”






 
 
These are the two Tips role.

1. If ClearPass authenticated a user, it will check the user role TAG from Role mapping and TAG then according to our Role Map.

2. ClearPass will then check the user TAG [TIPS Role] and enforce proper action as we selected.









Now we need Create a Service. Which bring all together!

Configuration » Services »
























##### #### ### Cisco Switch Part ####

tacacs server ARUBA 
  address ipv4 192.168.32.18 
  key 123456
aaa group server tacacs+ CPASS 
  server name ARUBA
tacacs-server directed-request



#aaa new-model
#aaa authentication login default group tacacs+ local


#aaa authentication enable default group tacacs+ enable 

 
-- These two commands help to enabel commands enforcement  --


#aaa authorization config-commands
#aaa authorization commands 15 default group tacacs+ local if-authenticated


############### End ######################

Read more :
Ref: http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/





Comments

Post a Comment

Popular posts from this blog

PureStorage //m20 Administration IP configuration.

-
Image
Well, I don't know about others, but what I found it is almost impossible to get information about "how to setup admin interface IP" in PureStorage unless you buy one. https://www.youtube.com/watch?v=34yCOOuQTwQ  This is the only place I could find something related to configuration of admin interface but still it was not much organised.  Purestorage should open more documents related to con figuration and designing rather then what their product could do! Also I am looking for "FlashArray//m Cabling Guide" please let me know if anyone have it.  To setup admin interface IP : You need to connect your //m using KVM cable provided. You need an USB keyboard , VGA Cabled monitor, USB mouse.   Step 1. Connect KVM Cable [Provided] to your Controller 0 . Step 2. Start you FlasshArray. Step 3. This is the best part: you need to login as ROOT or PURESETUP . You need to have "Array install: Changing Purity Version on a Fresh Array" file to find the p...
Read more

Cisco Prime upgrade from 1.2.1.12 to 3.0 Step by Step.

-
This document could help someone looking to upgrade Cisco Prime from 1.2.1.12 to 3.0 To Start with : I have created a VM level backup before starting the upgrade process. If you have any backup system please use that or you could download the VM’s vmdk,vmx and other files . Make sure you shut down the VM and umount all mounted DVD/CD/Floppy drive. Also write down your Licensed VUDI, Product ID, Serial number in case you need to do rehost. Files needed: PI_1_2_1_12-Update.1.0.tar.gz PI-Upgrade-2.0.0.0.294-2.tar.gz PI-Upgrade-2.1.0.0.87.tar.gz PI-VA-2.2.0.0.158.ova PI-Upgrade-3.0.0.0.78.tar.gz.zip  Please download those files and verify MD5 hash " ref https://supportforums.cisco.com/document/30321/verifying-ios-images " All upgrade process must be done through console. And you need lots of coffee or Tea time. Make sure your session does not timed out # terminal sessin-timeout 0 And after every upgrade you need to Resync your WCL Configuration before ...
Read more