Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
227
Views
0
Helpful
6
Replies

SSM ON-Prem TACACS+ and Clearpass

Counterdoc
Level 1
Level 1

‎04-19-2024 01:51 AM

Hi,

I am trying to configure TACACS+ on our SSM On-Prem server so that I am able to login on the Webinterface with my AD user. The TACACS+ configuration is done in Clearpass. And the test in the configuration window on the SSM server was successful.

But as soon as I try to login with my user on the login window it is not working:

Counterdoc_0-1713516283437.png

 

In Clearpass everything looks fine and I am not sure how I could debug that issue on the SSM side.

Counterdoc_1-1713516355075.png

This is how my config in Clearpass looks:

Counterdoc_2-1713516408976.png

Is anybody using Clearpass for TACACS+ and SSM? 

Thank you!

Cheers,
Marius

Labels:
0 Helpful
6 Replies 6

ahollifield
VIP
VIP

‎04-19-2024 10:38 AM

What are you trying to do?  Cisco SSM?  As Smart Software Manager?  Does SSM use TACACS+ priv levels?

0 Helpful

Counterdoc
Level 1
Level 1
In response to ahollifield

‎04-23-2024 06:20 AM

Yes, Cisco Smart Software Manager. At least it offers TACACS+ Auth in the settings:

Counterdoc_0-1713878410207.png

 

0 Helpful

Counterdoc
Level 1
Level 1
In response to Counterdoc

‎04-23-2024 07:39 AM

Just saw this message in the release notes:

Counterdoc_0-1713883140148.png

 

 

So I guess I need to configure Clearpass to send back the correct user role. But I don't know which exact role I need to send and which service to use.

0 Helpful

ahollifield
VIP
VIP
In response to Counterdoc

‎04-24-2024 06:50 AM

The three system role types are:  System User • System Operator • System Administrator.  Is this for CLI or GUI access to SSM?  It looks to me from the configuration guide that the GUI uses system roles while the CLI uses Privilege levels.  But it doesn't specify what those attributes should be.

As far as the Service, that's up to the ClearPass configuration and where you would like that service to live.  

0 Helpful

Counterdoc
Level 1
Level 1
In response to ahollifield

‎04-24-2024 10:59 PM

That's the problem I have. I don't know which attributes are needed for the GUI. I am still going through the logs on SSM side but there is not a lot of info in it. Like you said, the configuration guide doesn't specify anything unfortunately.

Apr 25 05:22:09 uzuh41 a17c57646a7b: (tacacs) Setup endpoint detected, running now.
Apr 25 05:22:09 uzuh41 a17c57646a7b: (tacacs) Request phase initiated.
Apr 25 05:22:10 uzuh41 a17c57646a7b: (tacacs) Authentication failure! unauthorized encountered.

 

0 Helpful

andrewswanson
Level 7
Level 7
In response to Counterdoc

‎04-25-2024 06:12 AM

 

I use secure ldap for on-prem SSM access with no issues - the bug below states:

"It appears that there is no possibility of using TACACS attributes to fully automate User/Operator/Admin access."

hth

Andy

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy62936

0 Helpful
Customers Also Viewed These Support Documents