Re: IMC Operator does not authenticate against ClearPass TACACS server

Hi,

As per the IMC Administration guide, it says "You can configure authentication services through RADIUS or LDAP using the Authentication Server feature found under Operator Management' and does not talk about TACACS. May be you can try  with RADIUS.

Hello,

The Administration guide does not talk about TACAS, but On-line Help does.

I have tried to configure it using RADIUS, and that works fine.

However we tries to consolidate all IT Access Services using TACAS as iti is commonly used by most networking devices and apps., and also to streamile the Clearpass policies.

We are currently not running the latrst IMC version, so I'll install the lastest patch and give another try.

If it works I'll keep you posted.

Thanks

Ray

Hi Ray,

Were you able to upgrade the IMC and test

Hello,

I have upgraded to the latest patch release (P06) with the same result.

The TACACS configuration fields are still in the "Authentication server" tab, but seems not to be taken in effect, and the ON-Line help still mentions the TACACS configuration possibilty.

Nevertheless the configuration template still lacks the "priviledge-level" mapping used by the TACACS protocol to assign an operator's role.

This is realyy annoying because I do not know if that piece of code has been left over my mistake, or reserved for future use, or should work as such ...

It would be very useful, if HPE could talk to the product marketing to find out if there is a pending enhancement request, if/when it is likely to come, or what is going on.

Thanks

Ray

Hello,

The TACACS auth feature for operators should work, have you tried authenticating to TACACS without returning any specific attributes? Keep in mind, the feature does require you to manually create each TACACS user as an operator in IMC that you'd like to allow to login via TACACS.

The "privilege level" that the user gets will thus be determined by you, when you manually create the operator in IMC - with "Authentication Type" set to TACACS and "Operator Group" used to determine what the operator is able to do. The TACACS server will simply handle the verification of credentials here, giving the ACCEPT/REJECT to allow iMC to determine whether the operator is allowed to login in the first place.

Personally I'd suggest using the much more popular LDAP method to an Active Directory server, as this option requires no manual work to create operators. It has the benefit of being able to automatically add a new operator to iMC when that user first logs in - if their AD attributes match what you have defined in the Advanced Settings > Synchronize LDAP Operator. For example, you could allow all members of the "Domain Admins" security group to log into iMC. If the AD Domain Admin didn't already exist as an operator in iMC, it would automatically be created and assigned to iMC's built-in "Administrator" group (or any other - it's really up to how you configure it).

Best regards,
Justin

Working @ HPE

Hello,

I'm have made some further testing.

As I have currently configure the RADIUS authentication server, IMC is always using RADIUS, and I could not find any way to prioritize TACACS over RADIUS (I cannot delete the configuration, I have tried to put an invalid address, 0.0.0.0, blank, etc), IMC never falls back on TACACS. So it might work but I cannot test it.

Concerning the use of AD, I want to use ClearPass as a single point of authentications for the whole network, and I'm trying to consoldate all devices and network apps accesses using TACACS, in order to streamline the CPPM polices and services as much as possible.

Thanks