Setting up Aruba ClearPass for TACACS+ Authentication

authentication

#1

When setting up authentication for ClearPass Tacacs+, it’s a common challenge to configure the different attributes to send back to ExtraHop for authorization (or permission roles). In order to properly configure ClearPass to know of these attributes, they must be added to the dictionary.

The following file can be imported into ClearPass, which will insert the correct attributes into it’s attribute dictionary.

  1. Download the attached XML file ExtraHop_tacacsCPPMdictionary.txt (1.0 KB)
  2. Login to ClearPass Policy Manager
  3. In ClearPass, go to Admin --> Dictionaries --> Tacacs Services
  4. Import the XML file downloaded from Step 1
  5. Add the ExtraHop Device IP Address as a Network Device in ClearPass under “Configuration --> Network --> Devices”. Make sure to use the same secret key here as on the ExtraHop.
  6. Create a TACACS+ based Enforcement profile, using the attributes that were imported from Step 1. See attribute settings below

PICK ONE

  • setup = 1 – Full Administration (Access to Admin UI)
  • readwrite = 1 – Full Access to ExtraHop User UI
  • limited = 1 – User can only create, modify, and share dashboards
  • readonly = 1 – User can only view objects in ExtraHop User UI
  • personal = 1 – User can only view objects in ExtraHop User UI, but can also create dashboards (cannot share dashboards)
  • limited_metrics = 1 – User can only see dashboards that are shared to them

In addition, if you have an ETA (Packet Trace Appliance), you can add another attribute. PICK ONE:

  • packetsfull = 1 – Allows users to download packets (does not matter on permission level above)
  • packetsfullwithkeys = 1 – Allows users to download packets and associated TLS keys (does not matter on permission level above)