04-19-2024 01:51 AM
Hi,
I am trying to configure TACACS+ on our SSM On-Prem server so that I am able to login on the Webinterface with my AD user. The TACACS+ configuration is done in Clearpass. And the test in the configuration window on the SSM server was successful.
But as soon as I try to login with my user on the login window it is not working:
In Clearpass everything looks fine and I am not sure how I could debug that issue on the SSM side.
This is how my config in Clearpass looks:
Is anybody using Clearpass for TACACS+ and SSM?
Thank you!
Cheers,
Marius
04-19-2024 10:38 AM
What are you trying to do? Cisco SSM? As Smart Software Manager? Does SSM use TACACS+ priv levels?
04-23-2024 06:20 AM
Yes, Cisco Smart Software Manager. At least it offers TACACS+ Auth in the settings:
04-23-2024 07:39 AM
Just saw this message in the release notes:
So I guess I need to configure Clearpass to send back the correct user role. But I don't know which exact role I need to send and which service to use.
04-24-2024 06:50 AM
The three system role types are: System User • System Operator • System Administrator. Is this for CLI or GUI access to SSM? It looks to me from the configuration guide that the GUI uses system roles while the CLI uses Privilege levels. But it doesn't specify what those attributes should be.
As far as the Service, that's up to the ClearPass configuration and where you would like that service to live.
04-24-2024 10:59 PM
That's the problem I have. I don't know which attributes are needed for the GUI. I am still going through the logs on SSM side but there is not a lot of info in it. Like you said, the configuration guide doesn't specify anything unfortunately.
Apr 25 05:22:09 uzuh41 a17c57646a7b: (tacacs) Setup endpoint detected, running now.
Apr 25 05:22:09 uzuh41 a17c57646a7b: (tacacs) Request phase initiated.
Apr 25 05:22:10 uzuh41 a17c57646a7b: (tacacs) Authentication failure! unauthorized encountered.
04-25-2024 06:12 AM
I use secure ldap for on-prem SSM access with no issues - the bug below states:
"It appears that there is no possibility of using TACACS attributes to fully automate User/Operator/Admin access."
hth
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide