IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: IMC Operator does not authenticate against ClearPass TACACS server

 
Valued Contributor

IMC Operator does not authenticate against ClearPass TACACS server

Hello,

I'm trying to setup IMC so that operators authenticate against a TACACS server (in my case it is aruba Clear Pass). I have been successful to anthenticate a number of heterogenous networking devices, that it looks IMC does not like it.

I have setup the "System->Operator-Authentication server:TACAS+" as per the online help, but nothing happens.

I cannot even see an authentication attempt in the clear pass server (obviously I verified that NAS IP and SECRET key are matching  

Has someone any experience in this kind of setting?

Thanks in advance for sharing:

Ray

 

 

 

 

 

 

 

6 REPLIES 6
HPE Pro

Re: IMC Operator does not authenticate against ClearPass TACACS server

Hi,

 

As per the IMC Administration guide, it says "You can configure authentication services through RADIUS or LDAP using the Authentication Server feature found under Operator Management' and does not talk about TACACS. May be you can try  with RADIUS.

Thank You!
I am an HPE Employee

Accept or Kudo

Valued Contributor

Re: IMC Operator does not authenticate against ClearPass TACACS server

Hello,

The Administration guide does not talk about TACAS, but On-line Help does.

I have tried to configure it using RADIUS, and that works fine.

However we tries to consolidate all IT Access Services using TACAS as iti is commonly used by most networking devices and apps., and also to streamile the Clearpass policies.

We are currently not running the latrst IMC version, so I'll install the lastest patch and give another try.

If it works I'll keep you posted.

Thanks

Ray

HPE Pro

Re: IMC Operator does not authenticate against ClearPass TACACS server

Hi Ray,

Were you able to upgrade the IMC and test

Thank You!
I am an HPE Employee

Accept or Kudo

Valued Contributor

Re: IMC Operator does not authenticate against ClearPass TACACS server

Hello,

I have upgraded to the latest patch release (P06) with the same result.

The TACACS configuration fields are still in the "Authentication server" tab, but seems not to be taken in effect, and the ON-Line help still mentions the TACACS configuration possibilty.

Nevertheless the configuration template still lacks the "priviledge-level" mapping used by the TACACS protocol to assign an operator's role.

This is realyy annoying because I do not know if that piece of code has been left over my mistake, or reserved for future use, or should work as such ...

It would be very useful, if HPE could talk to the product marketing to find out if there is a pending enhancement request, if/when it is likely to come, or what is going on.

Thanks

Ray

 

 

HPE Pro

Re: IMC Operator does not authenticate against ClearPass TACACS server

Hello,

The TACACS auth feature for operators should work, have you tried authenticating to TACACS without returning any specific attributes? Keep in mind, the feature does require you to manually create each TACACS user as an operator in IMC that you'd like to allow to login via TACACS.

The "privilege level" that the user gets will thus be determined by you, when you manually create the operator in IMC - with "Authentication Type" set to TACACS and "Operator Group" used to determine what the operator is able to do. The TACACS server will simply handle the verification of credentials here, giving the ACCEPT/REJECT to allow iMC to determine whether the operator is allowed to login in the first place.

Personally I'd suggest using the much more popular LDAP method to an Active Directory server, as this option requires no manual work to create operators. It has the benefit of being able to automatically add a new operator to iMC when that user first logs in - if their AD attributes match what you have defined in the Advanced Settings > Synchronize LDAP Operator. For example, you could allow all members of the "Domain Admins" security group to log into iMC. If the AD Domain Admin didn't already exist as an operator in iMC, it would automatically be created and assigned to iMC's built-in "Administrator" group (or any other - it's really up to how you configure it).

Best regards,
Justin

Working @ HPE
Accept or Kudo
Valued Contributor

Re: IMC Operator does not authenticate against ClearPass TACACS server

Hello,

I'm have made some further testing.

As I have currently configure the RADIUS authentication server, IMC is always using RADIUS, and I could not find any way to prioritize TACACS over RADIUS (I cannot delete the configuration, I have tried to put an invalid address, 0.0.0.0, blank, etc), IMC never falls back on TACACS. So it might work but I cannot test it.

Concerning the use of AD, I want to use ClearPass as a single point of authentications for the whole network, and I'm trying to consoldate all devices and network apps accesses using TACACS, in order to streamline the CPPM polices and services as much as possible.

Thanks