- Community Home
- >
- Networking
- >
- IMC
- >
- IMC Operator does not authenticate against ClearPa...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2020 10:20 AM
тАО08-04-2020 10:20 AM
IMC Operator does not authenticate against ClearPass TACACS server
Hello,
I'm trying to setup IMC so that operators authenticate against a TACACS server (in my case it is aruba Clear Pass). I have been successful to anthenticate a number of heterogenous networking devices, that it looks IMC does not like it.
I have setup the "System->Operator-Authentication server:TACAS+" as per the online help, but nothing happens.
I cannot even see an authentication attempt in the clear pass server (obviously I verified that NAS IP and SECRET key are matching
Has someone any experience in this kind of setting?
Thanks in advance for sharing:
Ray
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2020 05:05 AM
тАО08-06-2020 05:05 AM
Re: IMC Operator does not authenticate against ClearPass TACACS server
Hi,
As per the IMC Administration guide, it says "You can configure authentication services through RADIUS or LDAP using the Authentication Server feature found under Operator Management' and does not talk about TACACS. May be you can try with RADIUS.
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2020 07:21 AM
тАО08-06-2020 07:21 AM
Re: IMC Operator does not authenticate against ClearPass TACACS server
Hello,
The Administration guide does not talk about TACAS, but On-line Help does.
I have tried to configure it using RADIUS, and that works fine.
However we tries to consolidate all IT Access Services using TACAS as iti is commonly used by most networking devices and apps., and also to streamile the Clearpass policies.
We are currently not running the latrst IMC version, so I'll install the lastest patch and give another try.
If it works I'll keep you posted.
Thanks
Ray
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-19-2020 02:57 AM
тАО08-19-2020 02:57 AM
Re: IMC Operator does not authenticate against ClearPass TACACS server
Hi Ray,
Were you able to upgrade the IMC and test
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-07-2020 02:51 AM
тАО09-07-2020 02:51 AM
Re: IMC Operator does not authenticate against ClearPass TACACS server
Hello,
I have upgraded to the latest patch release (P06) with the same result.
The TACACS configuration fields are still in the "Authentication server" tab, but seems not to be taken in effect, and the ON-Line help still mentions the TACACS configuration possibilty.
Nevertheless the configuration template still lacks the "priviledge-level" mapping used by the TACACS protocol to assign an operator's role.
This is realyy annoying because I do not know if that piece of code has been left over my mistake, or reserved for future use, or should work as such ...
It would be very useful, if HPE could talk to the product marketing to find out if there is a pending enhancement request, if/when it is likely to come, or what is going on.
Thanks
Ray
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2020 07:35 AM
тАО09-08-2020 07:35 AM
Re: IMC Operator does not authenticate against ClearPass TACACS server
Hello,
The TACACS auth feature for operators should work, have you tried authenticating to TACACS without returning any specific attributes? Keep in mind, the feature does require you to manually create each TACACS user as an operator in IMC that you'd like to allow to login via TACACS.
The "privilege level" that the user gets will thus be determined by you, when you manually create the operator in IMC - with "Authentication Type" set to TACACS and "Operator Group" used to determine what the operator is able to do. The TACACS server will simply handle the verification of credentials here, giving the ACCEPT/REJECT to allow iMC to determine whether the operator is allowed to login in the first place.
Personally I'd suggest using the much more popular LDAP method to an Active Directory server, as this option requires no manual work to create operators. It has the benefit of being able to automatically add a new operator to iMC when that user first logs in - if their AD attributes match what you have defined in the Advanced Settings > Synchronize LDAP Operator. For example, you could allow all members of the "Domain Admins" security group to log into iMC. If the AD Domain Admin didn't already exist as an operator in iMC, it would automatically be created and assigned to iMC's built-in "Administrator" group (or any other - it's really up to how you configure it).
Justin
Working @ HPE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2020 10:13 AM
тАО09-08-2020 10:13 AM
Re: IMC Operator does not authenticate against ClearPass TACACS server
Hello,
I'm have made some further testing.
As I have currently configure the RADIUS authentication server, IMC is always using RADIUS, and I could not find any way to prioritize TACACS over RADIUS (I cannot delete the configuration, I have tried to put an invalid address, 0.0.0.0, blank, etc), IMC never falls back on TACACS. So it might work but I cannot test it.
Concerning the use of AD, I want to use ClearPass as a single point of authentications for the whole network, and I'm trying to consoldate all devices and network apps accesses using TACACS, in order to streamline the CPPM polices and services as much as possible.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-20-2021 02:45 AM
тАО09-20-2021 02:45 AM
Re: IMC Operator does not authenticate against ClearPass TACACS server
Hello @RPapaux
i have same problem it give me authentication server is not available. please contact the administrator
i want to ask did TACACS work with you if yes, can you help what is the configure in ClearPass you done like Profile and policy and Services ??
if not and you use RADIUS in ClearPass same i want to know what Profile and policy and Services ,
i want know what i missing ?
thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-26-2021 04:01 AM
тАО09-26-2021 04:01 AM
Re: IMC Operator does not authenticate against ClearPass TACACS server
I have given up with IMC and TACACS, I'm using RADIUS instead.
In order to make it work, follow the steps below (roughly described):
On CPPM:
========
1. Create as many Enforcement profiles as you have Operator's Group in IMC, and use aruba VSA attribute as below:
Enforcement_prof1: RADIUS:Aruba Aruba-User-Role = Adminstrator Group
Enforcement_prof2: RADIUS:Aruba Aruba-User-Role = Maintainer Group
Enforcement_prof3: RADIUS:Aruba Aruba-User-Role = My Custom Group
etc ...
2. Create un CPPM policy to assign yours users (operators) to the apropriate Enforcement profiles.
3. Create a RADIUS Service -> PAP and bind it the policy you've just created.
On IMC:
=======
Configure CPPM as RADIUS server
In "Advanced Settings" create the mapping table below:
Vendor ID: 1483 -> Data type: String -> Data Value:Administrator Group -> Operator Group : Administrator Group
Vendor ID: 1483 -> Data type: String -> Data Value:Maintainer Group -> Operator Group : Maintainer Group
Vendor ID: 1483 -> Data type: String -> Data Value:My Custom Group -> Operator Group : My Custom Group
etc ...
A good thing is that you DO NOT need to create local users on IMC.
They will be automatically created the first time they log in.
I hope it helps
Ray
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-26-2021 04:26 AM
тАО09-26-2021 04:26 AM
Re: IMC Operator does not authenticate against ClearPass TACACS server
Hello RPapaux,
thank you for configure, but the TACACS with me finally, the problem was i use the virtualIP for IMC, we use IMC HA we have 2 server with 2 IP and 1 virtual IP when i use the in cleaerpass is not work when i use ip of the server it work fine for me.
thank you