TACACS+-Based Enforcement Profile

Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.

TACACS+ Based Enforcement Profile

To review a sample TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. profile configuration, refer to Sample TACACS Profile Co

nfiguration.

Enforcement Profile Configuration

To create a TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Based Enforcement profile:

1. Navigate to Configuration > Enforcement > Profiles.

2. From the Enforcement Profiles page, click Add.The Add Enforcement Profiles dialog opens.

3. From the Template drop-down, select TACACS+ Based Enforcement.

Figure 1 Add TACACS+ Based Enforcement Profile Dialog

4. Specify the Add TACACS+ Based Enforcement Profile > Profile tab parameters as described in the following table:

Table 1: TACACS+ Based Enforcement > Profile Parameters
Parameter	Action/Description
Template	Select the TACACS+ Based Enforcement template.
Name	Enter the name of the profile.
Description	Enter a description of the profile (recommended).
Type	This field is populated automatically for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. .
Action	A TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. based Enforcement profile allows you to set the Action value to either Accept or Reject. The default value is Accept. If you select the Reject option for the Action setting, the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. authentication request is rejected when the enforcement profile is assigned. The Drop option is disabled and is not available for a TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. enforcement profile. ClearPass does not allow the modification of system defined Enforcement Profiles (“[TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Deny Enforcement Profile]” is set as Action = Accept, by default). HPE Aruba Networking recommends creating a new profile to modify the Action field. The TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. protocol correctly returns an Accept event if the user authenticates correctly, but the defult Deny rule will then also return the privilege level 0 for the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. authorization. To change this behavior create a new profile to Reject in these circumstances.
Device Group List	Select a Device Group from the drop-down list. All configured device groups are listed in the Configuration > Network > Device Groups page. When one or more device group(s) have been added to Policy Manager, you can select a device group and take one of the following actions: To delete the selected Device Group List entry, click Remove. To see the device group parameters, click View Details. To change the parameters of the selected device group, click Modify. NOTE: To add a new a device group, click the Add New Device Group link. See Adding and Modifying Device Groups.

In a TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. workflow, if the tokenGroup attribute is used to filter a user's group membership list from Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed., the filter query fails and the error message "Failed to get value for attributes=Nested Groups" displays. Keep in mind, the tokenGroups attribute is not currently supported in TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. workflows. Use the memberOf attribute instead to check membership.

Services Configuration

The following figure displays the TACACS+ Based Enforcement > Services dialog:

Figure 2 TACACS+ Based Enforcement > Services Dialog

Specify the TACACS+ Based Enforcement Profile > Service parameters as described in the following table:

Table 2: TACACS+ Based Enforcement > Services Parameters
Parameter	Action/Description
Privilege Level	Select a level between 0 and 15, with 0 being the minimum privilege level and 15 being the highest. NOTE: Use Privilege Level 0 for basic TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. authentication.
Selected Services	Select one or more of the following services: Shell PIX Shell PPP Point-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression.:IP PPP Point-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression.:IPX PPP Point-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression.:LCP ARAP cpass:HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. cpass:CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Wireless-WCS:HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. CiscoWLC:Common Aruba:Common junos-exec AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network.:https NCS:HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. Infoblox NOTE: When you select one or more services, the Commands tab is enable.
Export All TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Services Dictionaries	Click this link to download the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Services dictionary (TacacsServiceDictionary.xml) to the local system.
Authorize Attribute Status	Select one of the following options: ADD REPLACE FAIL NOTE: Specifying the FAIL option is an instruction to cause the authorization request to fail.
Custom Services	To add new TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. services or attributes by uploading the modified dictionary, click the Update TACACS+ Services Dictionary link.
Service Attributes
Type	Click the Type dropdown menu to select a service attribute type. For example, if one of the services you selected was Shell, Shell will be one of the available Service Attribute types. After the services have been selected, you can select the attributes to send from Policy Manager a drop-down list in the Name field). You can also add custom attributes in the Name field. Add service attributes corresponding to the services selected in Selected Services. Policy Manager by default provides attributes for some of the listed services.
Name	The options displayed for the Name attribute depend on the Type attribute that was specified.
Value	The options displayed for the Value attribute depend on the Type and Name attributes that were specified.

Command Authorization Configuration

From the Commands tab, you can configure commands and arguments allowed or disallowed for the selected Service Type.

Figure 3 TACACS+ Command Authorization Configuration Dialog

1. In the Service Type field, select the Shell or PIX shell radio button. Subsequent selections in this tab configure commands and arguments allowed or disallowed for this selection.

2. (Optional) In the Unmatched Commands field, select the Enable this option to permit unmatched commands option to allow commands that are not explicitly entered in the Commands field.

3. Next, you must create a list of commands recognized for the specified service type. To add a command, click the Add button on the Commands tab. The Configure TACACS+ Command Authorization dialog opens.

4. In the Configure TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Command Authorization dialog, enter values for the following paramters:

Shell Command. A string for the command (for example, show). This is followed by one or more command argument rows.

Command Arguments. The arguments for the command.

Action. To permit use of this command argument, click the Enable to permit check box. If this box is unchecked, the column shows Deny and the command argument is not allowed.

5. asIn the Unmatched Arguments field, select the Permit option to permit this command even if Policy Manager receives arguments for the command that it does not recognize.

6. Select the Deny radio button to deny the command if Policy Manager receives unrecognized arguments.

7. To save and exit, click outside the row you are editing then click Save.

TACACS Profile Configuration Example

When setting up authentication for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. , it can be a challenge to configure the correct attributes to send back to ExtraHop for authorization (or permission roles). In order to properly configure Policy Manager to know of these attributes, they must be added to the attribute dictionary.

To configure profile and attribute parameters for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. based enforcement profiles:

1. Download the ExtraHop_tacacsCPPMdictionary.txt file to insert the correct attributes into the Policy Manager attribute.

2. Log in to Policy Manager.

3. In Policy Manager, navigate to Administration > Dictionaries > TACACS+ Services. The TACACS+ Services Dictionaries page opens.

4. To import the ExtraHop_tacacsCPPMdictionary.txt XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. file, click the Import link.

5. Navigate to Configuration > Network Devices.

6. Add the ExtraHop device IP address as a Network Device (for details, see Adding a Network Device).

Make sure to use the same TACACS+ Shared Secret here as is configured on the ExtraHop device.

7. Create a TACACS+ Based Enforcement profile as described above, using the ExtraHop TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. attributes that you imported.